Size:
532.42 Kb
Download

OS/390

IBM

Security Server (RACF)

Planning: Installation and Migration

GC28-1920-03

OS/390

IBM

Security Server (RACF)

Planning: Installation and Migration

GC28-1920-03

Note

Before using this information and the product it supports, be sure to read the general information under

Fourth

 

Edition,

September

1997

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This

is

a

major

revision

of

GC28-1920-02.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This

edition

applies

to

Version

2

Release 4

of

 

OS/390

(5647-A01)

and to all subsequent

releases

and

modifica

indicated

in

new

editions.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Order

publications

through

your

IBM

representative

or

the IBM

branch

office

serving

your atlocalitythe .

Publicati

address

below.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

IBM

 

welcomes

your

comments. A

form

for

readers'

comments

may

be

provided at

the back

of

this

publication,

your comments to the following address:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

International

Business

Machines

Corporation

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Department

55JA,

Mail

Station

P384

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

522

South

Road

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Poughkeepsie, NY 12601-5400

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

United

States

of

America

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FAX

(United

States

&

Canada):

1+914+432-9405

 

 

 

 

 

 

 

 

 

 

 

 

 

FAX

(Other

Countries):

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Your International Access Code +1+914+432-9405

 

 

 

 

 

 

 

 

 

 

 

 

IBMLink

 

(United

States

customers

only): KGNVMC(MHVRCFS)

 

 

 

 

 

 

 

 

 

 

 

IBM Mail Exchange: USIB6TC9 at IBMMAIL

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Internet e-mail: mhvrcfs@vnet.ibm.com

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

World

Wide

Web:

http://www.s390.ibm.com/os390

 

 

 

 

 

 

 

 

 

 

 

 

If

 

you

would

like

a

reply,

be

sure

to

include

your

name,

address,

telephone number,

or

FAX number.

Make

sure

to

include the following in your comment

 

or

note:

 

 

 

 

 

 

 

 

Ÿ

Title

and

order

number

of

this

book

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Ÿ Page number or topic related

to

your

comment

 

 

 

 

 

 

 

 

 

 

 

 

When you send information to

IBM, you

grant

IBM

a nonexclusive right to use or distribute the information i

appropriate

without

incurring

any

obligation

to

you.

 

 

 

 

 

 

 

 

 

 

 

Copyright

 

International

Business

Machines

Corporation

1994,

1997.

All

rights

reserved.

 

 

 

 

 

 

 

Note to U.S. Government Users —

Documentation related to restricted rights — Use, duplication or disclosure

restrictions

set

forth

in

GSA

ADP

Schedule

Contract

 

with

IBM

Corp.

 

 

 

 

 

 

Contents

Notices

. . . . . . . . . . . . . . . . . . . vii. . . .

Trademarks

. . . . . . . . . . . . . . . . . . .ix . . .

About

This Book

. . . . . . . . . . . . . . . . . . . . . . . . . . .xi. . . . .

Who

Should

Use This Book. . . . . . . . . . . . . . . . . . . . . . . xi. . . . . .

How to Use This .Book. . . . . . . . . . . . . . . . . . . . . . . . xi. . . . . .

Where to Find More Information. . . . . . . . . . . . . . . . . . . .xii. . . . .

IBM Systems Center Publications. . . . . . . . . . . . . . . . . . . xiii. . . . . .

Other

Sources

of Information. . . . . . . . . . . . . . . . . . . . .xiv. . . . . .

To Request Copies of IBM

Publications. . . . . . . . . . . . . . . . .xv. . . .

Summary

of

Changes

. . . . . . . . . . . . . . . . . . . . . . . .xvii. . . . . .

Chapter

1. Planning for

Migration

. . . . . . . . . . . . . . . . . . . 1. . . . .

Migration

Planning

Considerations. . . . . . . . . . . . . . . . . . . . .1 . . . . .

Installation Considerations. . . . . . . . . . . . . . 2. . . .

Customization Considerations . .

. . . . . . . . . . . .2 . . .

Administration Considerations . . . . . . . . . . . . . .2 . . .

Auditing Considerations . . . . . . . . . . . . . . . 3. . . .

Application

Development Considerations. . . . . . . . . . . . . . . . . .3. . . . .

General User Considerations. . . . . . . . . . . . . . . . . . . . . . .3. . . . .

Chapter 2. Release Overview

 

 

 

. . . . . . . . . . . . . 5 . . . .

New

and

Enhanced

Support. . . . . . . . . . . . . . . . . . . . . . .5 . . . . .

RACF/DB2

External

Security Module. . . . . . . . . . . . . . . . . . .5 . . . . .

Enhancements

to

Support

for OpenEdition Services. . . . . . . . . . . . 6. . .

Run-Time

Library Services. . . . . . . . . . . . . . . . . . . . . . .7 . . . . .

Password

History

Enhancements. . . . . . . . . . . . . . . . . . . .7 . . . . .

Tivoli

Management

Environment

(TME) 10 Global Enterprise Management

User Administration Service. . . . . . . . . . . . . . . . . . . . . 8. . . . . .

Program

 

Control

by

System

.ID. . . . . . . . . . . . . . . . . . . .8 . . . . .

New FMID

 

. . . . . . . . . . . . . . . . . . 9 . . . .

OW24966

 

Enhancements

to

TARGET Command

. . . . . . . . . . . . .9 . . .

Enable/Disable Changes . . . . . . . . . . . . . .

10. . . .

OW26237

Enhancements

of

Global Access

Checking. . . . . . . . . . .10. .

Chapter

3.

Summary

of

Changes

to

RACF

Components for

OS/390

 

Release 4

 

 

. . . . . . . . . . . . . . . . . .

11. . . .

Callable Services .

. . . . . . . . . . . . . . . . 11. . . .

Class Descriptor Table (CDT). . . . . . . . . . . . . . . . . . . . . .12. . . . .

Commands

 

 

. . . . . . . . . . . . . . . . . .

13. . . .

Data Areas

 

. . .

. .

. . . . . . . . . . . . .

15. . . .

Exits .

 

. . . . . . . . . . . . . . . . . . .

16. . . .

Macros

. . . . . . . . . . . . . . . . . . . .17 . . . .

Messages

 

. . . . . . . . . . . . . . . . . . .17 . . . .

New Messages

.

. .

. . . . . . . . . . . . .

17. . . . .

Changed Messages

. . . . . . . . . . . . . . . .17 . . . .

Deleted Messages

. . . . . . . . . . . . . . . .18 . . . .

Panels

.

. . .

. .

. . . . . . . . . . . . .

.18 . . . .

Copyright IBM Corp. 1994, 1997

iii

SYS1.SAMPLIB

. . . . . . . . . . . . . . . . .

19. . . . .

Publications Library . .

. . . . . . . . . . . . . . 20. . . . .

Chapter 4.

Planning Considerations

. . . . . . . . . . . 21. . . . .

Migration Strategy . . . . . . . . . . . . . . . .

21. . . . .

Migration Paths for OS/390 Release 4 Security Server. . . . (RACF). . . .21.

Hardware Requirements . . . . . . . . . . . . . . .

22. . . . .

Compatibility . . . . . . . . . . . . . . . . . .23. . . . .

OpenEdition MVS

. .

. . . . . . . . . . . . . . 23. . . . .

Program Control by System .ID. . . . . . . . . . . . . . . . . . . 23. . . . . .

RELEASE=2.4

Keyword on

Macros . . . . . . . . . . . . . . . . . .23. . . . .

Chapter 5.

Installation Considerations

. . . . . . . . . . .25 . . . .

RACF

Storage

Considerations. . . . . . . . . . . . . . . . . . . . . .25. . . . . .

Virtual Storage . . . . . . . . . . . . . . . . . 25. . . . .

Templates for RACF

on OS/390 Release. . .4. . . . . . . . . . . . . .27. . . .

Chapter 6.

Customization Considerations

. . . . . . . . .

29. . . . .

Customer Additions to the Router Table and. . the. . . CDT. . . . . . .29. .

RACF/DB2

External Security Module Customization. . . . . . . . . . . . 29. . .

Exit Processing . . . .

. . . . . . . . . . . . .

30. . . . .

Chapter 7.

Administration Considerations

. . . . . . . . .

31. . . . .

The

TMEADMIN

Class

. . . . . . . . . . . . . . . . . . . . . . . . .31. . . . . . .

Password History Changes. . . . . . . . . . . . . . . . . . . . . . .31. . . . . . .

Program Control by System .ID. . . . . . . . . . . . . . . . . . . . .31. . . . . .

Enhancements of Global Access Checking. . . . . . . . . . . . . . . . .32. . . .

Chapter 8. Auditing Considerations

.

.

. .

. . . . . .

. 33. . . . .

SMF Records

 

. . . . . . . .

. . .

. . . . . . .33. . . . .

Chapter

9. Application Development

Considerations

 

 

. . . . . . . . . . .35. .

Programming Interfaces . . . . . . . . . . . . . . . 35. . . . .

RELEASE=2.4

Keyword

on Macros . . . . . . . . . . . . . . . . . . . 35. . . . . .

FASTAUTH Changes

 

. . . . . .

 

. . . . . . . . . .35 . . . .

Chapter

10.

General

User

Considerations

. . . . . . . . . . . . . . . .37. . . .

Password History Changes. . . . . . . . . . . . . . . . . . . . . . .37. . . . . . .

Glossary

 

. . . . . . . . .

. . . . . . . . . .39 . . . . .

How to

Get

Your

RACF

CD

. . . . . . . . . . . . . . . . . . . . . . 47. . . . . . .

Index

. . . . . . . . . .

.

. .

. . . . . .

. 49. . . . .

iv OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Figures

1.New Callable Services. . . . . . . . . . . . . . . . . . . . . . 11. . . . . .

2.Changed Callable Services. . . . . . . . . . . . . . . . . . . . .12. . . . . .

3.

New Classes . . . . . . . . . . . . . . . . 13. . . . .

4.

Changes to

RACF

Commands . . . . . . . . . . . . . . . . . . .

13. . . . . .

5.

Changes to PSPI Data Areas. . . . . . . . . . . . . . . . . . .

16. . . . . .

6.

Changed Executable Macros. . . . . . . . . . . . . . . . . . . .

17. . . . . .

7.

New Panels

for

RACF. . . . . . . . . . . . . . . . . . . . . . .19. . . . . .

8.Changed Panels for RACF. . . . . . . . . . . . . . . . . . . . .19. . . . . .

9.Change to SYS1.SAMPLIB . . . . . . . . . . . . . . . . . . . . .19. . . . . .

10. Changes to the RACF Publications .Library. . . . . . . . . . . . . 20. . . .

11.RACF Estimated Storage Usage. . . . . . . . . . . . . . . . . .25. . . . .

12.Changes to SMF Records. . . . . . . . . . . . . . . . . . . . .33. . . . . .

Copyright IBM Corp. 1994, 1997

v

vi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Notices

References in

this

publication

to IBM

products,

programs,

or

service

that

IBM

intends

to

make these

available

in all

countries

in

which

I

Any

reference

to

an

IBM product, program, or service is not intende

imply

that

only

IBM's

product, program,

or

service may be

used. A

f

equivalent product, program, or service which does not infringe on any intellectual property rights may be used instead of the IBM produc service. Evaluation and verification of operation in conjunction with ot programs, or services, except those expressly designated by IBM, i responsibility.

IBM

may

have

patents or

pending

patent applications

covering

subject

this

 

document.

 

The

furnishing of this document does

not give you any

these

patents.

You can

send license inquiries, in writing,

to:

IBM

 

Director

 

of

Licensing

 

 

 

IBM Corporation

 

 

 

 

 

 

500

Columbus

Avenue

 

 

 

 

 

Thornwood,

NY

10594

 

 

 

 

 

USA

 

 

 

 

 

 

 

 

 

 

Licensees

 

of

this

program who wish to have information about it for

enabling:

(i)

the

exchange of information between independently creat

and

other

programs

(including this one) and (ii) the

mutual

use of t

which

has

been

exchanged, should

contact:

 

 

IBM Corporation

Mail Station P300

522 South Road

Poughkeepsie, NY 12601-5400

USA

Attention: Information Request

Such information

may be

available, subject to appropriate terms and c

including in some

cases,

payment of a fee.

Copyright IBM Corp. 1994, 1997

vii

viii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Trademarks

The

following terms

are trademarks of the IBM Corporation in the Unit

other countries or

both:

Ÿ

AIX/6000

 

Ÿ

BookManager

 

Ÿ

CICS

 

Ÿ

CICS/ESA

 

Ÿ

DB2

 

Ÿ

DFSMS

 

Ÿ

FFST

 

Ÿ

FFST/MVS

 

Ÿ

IBM

 

Ÿ

IBMLink

 

Ÿ

IMS

 

Ÿ

Library Reader

 

Ÿ

MVS/ESA

 

Ÿ

MVS/XA

 

Ÿ

NetView

 

Ÿ

OpenEdition

 

Ÿ

OS/2

 

Ÿ

OS/390

 

Ÿ

Parallel Sysplex

 

Ÿ

RACF

 

Ÿ

RETAIN

 

Ÿ

S/390

 

Ÿ

SOMobjects

 

Ÿ

System/390

 

Ÿ

SystemView

 

Ÿ

TalkLink

 

Ÿ

VM/ESA

 

Ÿ

VM/XA

 

UNIX is a registered trademark in the United States and other co exclusively through X/Open Company Limited.

Windows

is a

trademark

of Microsoft

Corporation.

Other

company,

product,

and service names, which may be denoted by

asterisk (**),

may be

trademarks or

service marks of others.

Copyright IBM Corp. 1994, 1997

ix

x OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

About

This

Book

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This book contains information about the

Resource

 

Access

Control

Facilit

 

 

 

which is part of the OS/390 Security Server. The Security Server has

 

 

 

components:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Ÿ

RACF

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Ÿ

OpenEdition

DCE

Security

Server

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For information about the OpenEdition DCE

Security

Server,

see

the

pub

 

 

 

related

to

 

that

component.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This book provides information to guide

you

through

the

migration

proc

 

 

 

OS/390 Release 3 Security Server (RACF)

or

 

RACF

to

OS/390

Release

4

Se

 

 

 

Server

(RACF).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The

purpose

of

this

book

is

to ensure

an

orderly

transition

to

a

n

 

 

 

It notis

intended

for

customers

installing

RACF for the first time or in

 

 

 

release prior to Security Server (RACF)

Release 3. First-time RACF cust

 

 

 

should readOS/390 Security Server (RACF) Introductionand use the program

 

 

 

 

 

 

directory

shipped with the

product

when

they

 

are

ready

to install

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Who

Should

Use

This

Book

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This book is intended for experienced system programmers responsible

 

 

 

migrating from OS/390 Release 3 Security

Server

(RACF)

to

OS/390

Releas

 

 

 

Security Server (RACF). This book assumes

you have

knowledge

 

 

of

OS/390

 

 

 

Release

3

Security

Server

(RACF).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you are migrating from a RACF 2.2,

or earlier, or from an OS/390

 

 

 

release prior to OS/390 Release 3,

you

should

 

also

read

previous

ve

 

 

 

book, as described in “Migration Paths for

OS/390

 

Release

4

 

Security

 

 

 

(RACF)”

 

on

page 21.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

How

to

Use

This

Book

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This book is organized in the following order:

Ÿ

Chapter 1,

“Planning

for

Migration”

on

page 1,

provides

information to

 

plan

your

installation's

migration to the

new

release

of

RACF.

Ÿ

Chapter 2,

“Release

Overview”

on

page 5,

provides

an

overview of s

 

the

new

release.

 

 

 

 

 

 

 

 

 

 

 

 

Ÿ

Chapter 3,

“Summary

of

Changes

to

RACF

Components

for

OS/390

Release

 

4”

on

page 11,

lists

specific

new

and changed support for the

Ÿ

Chapter 4,

“Planning

Considerations”

on

page 21,

describes

high-level

 

migration

considerations

for customers

upgrading

to

the

new release

 

from

previous levels

of RACF.

 

 

 

 

 

 

 

 

 

ŸChapter 5, “Installation Considerations” on page 25, highlights informati about installing the new release of RACF.

Copyright IBM Corp. 1994, 1997

xi

Ÿ

Chapter 6,

“Customization Considerations” on page 29, highlights informatio

 

about customizing function to take advantage of new support

after t

 

release

of

RACF

is

installed.

 

 

 

 

 

Ÿ

Chapter 7,

“Administration Considerations”

on

page 31,

summarizes

changes

 

to administration

procedures for the

new

release

of

RACF.

 

Ÿ

Chapter 8,

“Auditing Considerations” on page 33, summarizes changes to

 

auditing

procedures for the new release of RACF.

 

 

 

Ÿ

Chapter 9,

“Application Development Considerations” on page 35, identifies

 

changes in the new release of RACF that might require changes to

 

installation's

existing programs.

 

 

 

 

 

Ÿ

Chapter 10,

“General

User

Considerations”

on page 37,

summarizes new

 

support that might

affect

general user

procedures.

 

 

Where to Find More

Information

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Where

necessary,

this

book

 

references information in other books. For

titles and order numbers for all products that areOS/390part of OS/390, se

Information

 

Roadmap.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Softcopy Publications

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The

OS/390

Security

Server

(RACF)

 

library

is

available on

the following CD-

The CD-ROM collections include

 

the IBM Library Reader, a program that

customers

to read

the

softcopy

books.

 

 

 

 

 

 

 

 

Ÿ

The OS/390

Security

Server

(RACF) Information , PackageSK2T-2180

 

 

 

 

 

This

softcopy

collection

kit

contains

 

the

OS/390 Security

Server

(RACF)

 

It also contains the RACF/MVS Version 2

product

libraries,

the

RACF/VM

 

product library, product books from the OS/390 and VM collections,

 

International Technical Support Organization (ITSO) books,

 

and

Washington

 

System

Center

(WSC)

books

that

contain

substantial

amounts

of

information

 

related to RACF. The kit

does not contain any licensed

publications.

 

this CD-ROM, you have access

 

to

RACF-related

information

from

IBM prod

 

such as OS/390, VM, CICS,

and NetView without maintaining shelves of

 

hardcopy documentation or handling multiple CD-ROMs. To get more

 

 

information on OS/390the Security

Server

(RACF)

Information , Packagesee

 

 

 

the

advertisement

at

the

back

of

the

book.

 

 

 

 

 

Ÿ

The OS/390

Collection

,Kit SK2T-6700

 

 

 

 

 

 

 

 

 

 

 

 

 

This

softcopy

collection

contains

a

set

of

OS/390

and

related

produc

 

This

kit

contains

unlicensed

books.

 

 

 

 

 

 

 

 

 

Ÿ

The Online

Library

Omnibus

Edition MVS CollectionSK2T-0710Kit,

 

 

 

 

 

 

This

softcopy

collection

contains

a

set

of key MVS and MVS-related pr

 

books. It also includes the RACF Version 2 OS/390productSecuritylibraries.

 

 

Server (RACF) Messages and Codesis also available asOnlinepartLibraryof

 

 

Productivity Edition

Messages

and

Codes Collection,SK2T-2068.

 

 

 

 

 

xii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

RACF Courses

The

following

RACF

classroom courses are also available:

Ÿ

Effective

RACF

Administration,H3927

Ÿ

MVS/ESA RACF

Security Topics, H3918

Ÿ

Implementing

RACF

Security for CICS/ESA,H3992

IBM provides a variety of educational offerings for RACF. For more classroom courses and other offerings, see your IBMBM representative, Mainframe Training Solutions, GR28-5467, or call 1-800-IBM-TEACH

(1-800-426-8322).

IBM Systems

Center

Publications

 

 

 

 

 

 

 

 

 

 

 

 

IBM systems centers produce “red” and “orange” books that can be

 

setting up and using RACF.

 

 

 

 

 

 

 

 

 

These

books

have

not been subjected to any formal review nor have

 

checked for technical accuracy, but

they

represent current product

 

(at the

time

of

their

 

publication)

and

provide valuable information on

 

of RACF topics. They are not shipped with RACF. You must order them

 

separately.

A

selected

list

of

these

books

follows:

 

Ÿ

Systems Security Publications Bibliography,G320-9279

 

 

 

Ÿ

Elements of Security: RACF Overview - StudentGG24Notes,-3970

 

Ÿ

Elements of Security: RACF Installation - StudentGG24-3971Notes,

 

Ÿ

Elements

of

Security:

RACF Advanced

Topics

-

StudentGG24-Notes,3972

 

Ÿ

RACF

Version

2

Release 2 Technical PresentationGG24-2539Guide,

 

Ÿ

RACF

Version

2

Release

2

Installation

and

ImplementationSG24-4580 Guide,

 

Ÿ

Enhanced

 

Auditing

Using

the

RACF

SMF

Data

UnloadGG24Utility,-4453

 

Ÿ

RACF

Macros

and

Exit Coding,GG24-3984

 

 

 

 

 

 

Ÿ

RACF

Support

for

Open

Systems Technical

PresentationGG26Guide,-2005

 

Ÿ

DFSMS

and

 

RACF

Usage Considerations,GG24-3378

 

 

 

Ÿ Introduction

to

System and Network Security: Considerations, Options,

 

 

Techniques, GG24-3451

 

 

 

 

 

 

 

 

 

 

Ÿ

Network Security Involving the NetView Family ofGG24Products,-3524

 

Ÿ

System/390 MVS Sysplex Hardware and Software Migration,GC28-1210

 

Ÿ

Secured Single Signon in a Client/Server Environment,GG24-4282

 

Ÿ

Tutorial: Options for Tuning GG22RACF, -9396

 

 

 

 

|

Ÿ

OS/390 Security

Server

Audit

Tool

and

Report,

SG24Application-4820

Other books are available, but they are not included in this list, information they present has been incorporated into IBM product manua because their technical content is outdated.

About This Book xiii

Other Sources of Information

IBM provides customer-accessible discussion areas where RACF may be discussed by customer and IBM participants. Other information is availa the Internet.

IBM

Discussion

Areas

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Two

discussion

areas

provided

by

IBM

are

the

MVSRACF

discussion

and

th

SECURITY

 

discussion.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Ÿ

MVSRACF

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

MVSRACF

 

is

available

to

 

customers

through

IBM's

TalkLink

offering.

To

ac

 

MVSRACF

 

from

TalkLink:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1. Select

S390

(the

S/390

Developers'

Association).

 

 

 

 

 

 

2. Use

the

fastpath

keyword:

MVSRACF.

 

 

 

 

 

 

 

Ÿ

SECURITY

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SECURITY

is

available

to

customers through IBM's

DialIBM

offering,

wh

 

may

be

known by

other

names

in

various countries. To access SECURIT

 

1. Use

the

CONFER

fastpath

option.

 

 

 

 

 

 

 

 

 

2. Select

the

SECURITY

CFORUM.

 

 

 

 

 

 

 

 

 

Contact

your

IBM representative for information on TalkLink, DialIBM, or e

offerings

for

your country and for more information

on

the

availability

MVSRACF and

SECURITY

discussions.

 

 

 

 

 

 

 

 

 

 

Internet Sources

The following resources are available through the Internet:

ŸRACF home page

You can visit the RACF home page on the World Wide Web using this http://www.s39ð.ibm.com/products/racf/racfhp.html

or http://www.s39ð.ibm.com/racf

ŸRACF-L discussion list

Customers and IBM participants may also discuss RACF on the RACF-L

discussion list. RACF-L is not operated or sponsored by IBM; it is University of Georgia.

To

subscribe

to the

RACF-L

discussion,

so

you can

receive postings,

note to:

 

 

 

 

 

 

 

 

 

 

listserv@uga.cc.uga.edu

 

 

 

 

 

 

 

 

Include

the

following

line

in the

body

of the

note,

substituting yo

and last name as indicated:

 

 

 

 

 

 

subscribe racf-l first_name last_name

 

 

 

 

 

 

To

post

a question or

response to

RACF-L,

send

a

note

to:

racf-l@uga.cc.uga.edu

Include an appropriateSubject: line.

ŸSample code

xivOS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

You can get sample code,

internally-developed

tools,

and

exits to

RACF. All this code works

in our environment, at

the

time

we make i

but is not officially supported. Each tool or sample has a README

describes

the

tool

or

sample

and

any restrictions on its use.

 

The

simplest

way

to

reach this code is through

the

RACF home

pa

home

page,

clickSystem/390on

FTP Servers

under

the

topic, “RACF

Sample

 

Materials.”

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The

code

 

is

 

also

availablelscftp.pokfrom.ibm.com

throughanonymous

ftp .

 

 

To get

access:

 

 

 

 

 

 

 

 

 

 

 

 

1. Log

in

 

as anonymoususer

 

.

 

 

 

 

 

 

 

 

2. Change

 

the directorycd ) /pub/racf/mvs(

to find the subdirectories th

 

contain

 

the

sample

code. We'll post an announcement on RACF-L,

 

 

MVSRACF,

and SECURITY CFORUM whenever we add anything.

 

 

 

 

 

Restrictions

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Because

 

the

sample

code and tools are not

officially

supported,

Ÿ

There

 

are

no

guaranteed

enhancements.

 

 

 

 

 

Ÿ

No

APARs

can

be

accepted.

 

 

 

 

 

 

 

The

name

 

and

availabilityftp ofserverthe

may

change

in

the

future.

We'

post

an

announcement

on

RACF-L,

MVSRACF,

and

SECURITY

CFORUM

 

 

 

if

this

 

happens.

 

 

 

 

 

 

 

 

 

 

However,

 

even

with

these restrictions, it should be useful for

access

to

this

code.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

To Request Copies of

IBM

 

Publications

 

 

 

 

 

 

 

 

 

Direct

your

request

for

 

copies of

any

IBM publication to your IBM

to the IBM branch office serving your

locality.

 

 

There is also a toll-free customer

support number (1-800-879-2755) availabl

Monday through Friday

from

6:30

a.m.

through 5:00

p.m. Mountain

Time.

You

use

this

number

to:

 

 

 

 

 

 

 

 

 

Ÿ

Order

or

inquire

about

IBM

publications

 

 

 

Ÿ

Resolve

any

software

manufacturing

or

delivery

concerns

 

 

Ÿ Activate the Program Reorder Form

to

provide

faster and

more

conve

 

ordering

of

software

updates

 

 

 

 

 

See the advertisement at the back

of the book forOS/390information abou

Security

Server

(RACF)

Information

Package.

 

 

 

 

About This Book xv

xvi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Summary of

Changes

 

 

 

|

Summary

of Changes

 

|

for GC28-1920-03

 

 

|

OS/390

Version

2 Release

4

|

This

book

contains primarily new information for OS/390 Version 2 Relea

|

Security Server (RACF). When any information appeared in an earlier r

|

information

that

is new is indicated by a vertical line to the lef

Summary of Changes for GC28-1920-02 OS/390 Release 3

This book contains new information for OS/390 Release 3 Security Server

Summary of Changes for GC28-1920-01 OS/390 Release 2

This

book

contains

new information for

OS/390

Release 2

Security Server

Summary

of Changes

 

 

 

 

 

for GC28-1920-00

 

 

 

 

 

 

OS/390

Release

1

 

 

 

 

 

This

book

contains

information

previously

presentedRACF Planning: inInstallation

and

Migration, GC23-3736, which

supports RACF Version 2 Release 2.

This

book

includes

terminology,

maintenance,

and editorial

changes.

Copyright IBM Corp. 1994, 1997

xvii

xviii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 1. Planning

for

 

Migration

 

 

 

 

 

 

 

This

chapter provides

information

to

help you plan your installation's m

the

new

release of

OS/390 Security

Server (RACF). Before attempting t

you

should

define

a

plan to ensure a smooth and orderly transition.

thought-out and documented migration plan can help minimize any interrupt

service.

Your

migration plan

should

address

such topics

as:

Ÿ

Identifying

which

required and

optional

products are

needed

Ÿ

Evaluating

new

and

changed

functions

 

 

Ÿ

Evaluating

how

incompatibilities

affect your installation

 

Ÿ

Defining

necessary

changes

to:

 

 

 

 

Installation-written code

Operational procedures

Application programs

 

– Other

related products

 

 

 

 

Ÿ

Defining

education requirements for operators and

end

users

Ÿ

Preparing

your

staff

and

end users for

migration,

if

necessary

Ÿ

Acquiring

and

installing

the

latest service

level of

RACF

for mainten

The content and extent of a migration plan can vary significantly from installation. To successfully migrate to a new release of RACF, you s installing and stabilizing the new RACF release without activating the n

provided. Installing the new RACF

release without initially

exploiting n

allows you to maintain a stable

RACF environment. The program

directory

with the new OS/390 release gives detailed information about the cor required for installation.

When defining your installation's migration plan, you should consider the

ŸMigration

ŸInstallation

ŸCustomization

ŸAdministration

ŸAuditing

ŸOperation

ŸApplication development

ŸGeneral users

Migration Planning Considerations

Installations

planning

to migrate to a

new release of RACF

must

conside

support

requirements

such as machine and programming restrictions, migra

paths, and

program

compatibility.

 

 

 

For more

information,

see Chapter 4,

“Planning Considerations”

on

page 21.

Copyright IBM Corp. 1994, 1997

1

Installation Considerations

Before installing a new release of RACF, you must determine what updat needed for IBM-supplied products, system libraries, and non-IBM product

(Procedures

for installing RACF are described in the program directory

OS/390, not in

this book.)

Be sure you include the following steps when planning your pre-installatio activities:

Ÿ Obtain and install any

required program

temporary fixes (PTFs)

or

upd

versions

of

the

operating system.

 

 

 

 

 

Call

the

IBM

Software

Support

Center

to

obtain

the preventive

service

(PSP)

upgrade

for

RACF.

This

provides

the most

current information

on P

for

RACF. Have RETAIN checked

again

just

before

testing RACF. Inform

for

requesting the PSP upgrade

can be found in the program directo

Although

the program

directory

contains a

list of the required PTFs,

current

information is

available

from

the

support

center.

Ÿ Contact programmers responsible for updating programs.

Verify that

your installation's programs will continue

to run, and, if

make changes

to ensure compatibility with the new

release.

For more information, see Chapter 5, “Installation Considerations” on page 2

Customization Considerations

In order for RACF to meet the specific

requirements of your

installat

customize

function to

take

advantage

of

new

support

after

the

product

For example, you can tailor RACF through the use of

installation

exit r

descriptor table (CDT) support, or options

to

improve

performance. This

changes to

RACF that

might

require

the

installation to

tailor

the

produc

ensure that RACF runs as before or to accommodate new security contro installation requires.

For more information, see Chapter 6, “Customization Considerations” on page

Administration Considerations

Security

administrators must

be

aware of how changes introduced by a

product

release

can

affect an

installation's data

processing

resources.

real and virtual

storage requirements, performance, security, and integr

interest

to security

administrators or

to system

programmers

who

are

r

for making decisions

about

the

computing

system resources used

with

a

For more information, see Chapter 7, “Administration Considerations” on page

2 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Auditing Considerations

Auditors

who are

responsible for

ensuring

proper

access

control and

for their installation are interested in

changes

to security

options,

report

generation

utilities.

 

 

 

 

 

For more

information, see Chapter 8,

“Auditing Considerations”

on

page 33

Application Development Considerations

Application

development

programmers

must

be

aware of

new

functions intro

in a new release of RACF. To implement a

new

function,

the

application

development

personnel

should read

this

book

and

the

following

books:

ŸOS/390 Security Server External Security Interface (RACROUTE) Macro Reference

Ÿ

OS/390

Security

Server

(RACF)

Data

Areas

 

 

 

Ÿ

OS/390

Security

Server

(RACF)

Macros

and

Interfaces

 

To

ensure

that

existing

programs run as before, the application progr

should be aware of any

changes

in

data

areas and

processing requi

book

provides

an

overview

of

the

changes

that

might

affect existing

programs.

 

 

 

 

 

 

 

 

 

 

For

more

information, see

Chapter 9,

“Application

Development Considerations

page

35.

 

 

 

 

 

 

 

 

 

 

General User Considerations

RACF general users use a RACF-protected system to:

Ÿ Log on to the system

Ÿ Access resources on the system

ŸProtect their own resources and any group resources to which the administrative authority

This book provides an overview of the changes that might affect ex procedures for general users. For more information, see Chapter 10, “G Considerations” on page 37.

Chapter 1. Planning for Migration3

4 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 2. Release Overview

This

chapter

lists

the new

and

enhanced

functions

of

RACF for

OS/390

and

gives a

brief

overview

of

each new

function

or

function

enhance

New and Enhanced Support

For OS/390 Release 4, RACF provides:

Ÿ Support for the RACF/DB2 external security module

Ÿ Additional auditing of OpenEdition superusers status

Ÿ Default OpenEdition USER/GROUP support

Ÿ Run-time library services support

Ÿ Password history enhancements

Ÿ OW23445 enhancement to allow RACF user profile administration using Ti Management Environment (TME) administration service

Ÿ OW25727 enhancement to allow program control by system ID

Ÿ New FMID

Ÿ OW24966 enhancements to TARGET command

ŸEnable/disable changes

ŸOW26237 enhancements to global access checking

RACF/DB2 External Security

Module

 

 

 

 

 

 

 

 

 

 

 

 

 

The

Security

 

Server

for

OS/390

Release

4 is

providing

a new

function

you the

ability

to

control access

to DB2 objects using RACF

profile

is

provided

 

as a fully

supported

exit

module

called

the

RACF/DB2

ex

module.

If

you

choose

to use this new support, the module

is

desi

control from the DB2 access control

authorization exit

point.

The

hig

support

include:

 

 

 

 

 

 

 

 

 

 

 

 

Ÿ

Single

point

of

control

for administering and auditing DB2 access

 

Ÿ

Ability to define security rules before a DB2 object

is

creat

Ÿ

Ability to have security rules

persist when a DB2 object

is

dr

Ÿ

Ability to control access to DB2 objects with generic profiles

 

Ÿ

Flexibility

 

to

control

access

to

DB2 objects for single or

multiple

 

with a single set of RACF profiles

 

 

 

 

 

 

 

Ÿ

Ability to

validate a

user ID before permitting it access to a

Ÿ

Elimination of DB2 cascading revoke

 

 

 

 

 

 

 

Use of this function requires the DB2 access control authorization

provided

in

DB2

Version

5.

 

 

 

 

 

 

 

 

 

Copyright IBM Corp. 1994, 1997

5

Enhancements to Support for OpenEdition Services

Enhancements

to

 

RACF's

support

for

OpenEdition

services

include:

 

 

 

 

 

 

Ÿ Extended

ability

to

audit

 

 

the

use

 

of

superuser

status

 

 

 

 

 

 

Ÿ Default USER/GROUP support provided by APAR OW26800

 

 

 

 

 

 

 

 

 

Extended

Ability

 

to

Audit

the

Use

 

of

Superuser

Status

 

 

 

 

 

 

 

 

 

 

 

 

This support allows the auditing of the new OpenEdition spawn service.

determines when a user is a

 

superuser

and

the

identity

of

that

use

audit function allows a full audit trail that can be

used

to

ensure

adequate.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Auditing

the

use

of

superuser

 

status

is

performed using the ck_priv

 

the PROCESS class processing to

 

audit UID

and

GID

changes.

The

 

audit

code

 

101

is

 

added.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you are not already auditing the PROCESS class, issue SETROPTS

 

 

 

 

LOGOPTIONS(xxxx(PROCESS))

to

obtain

 

the

SMF

TYPE80

record

ck_priv.

 

 

 

 

 

 

Default

 

USER/GROUP

 

OMVS

Segment

Provided

 

by

 

APAR

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

OW26800

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACF allows definition of a

system-wide

default

for

OMVS

segment

informat

making

 

it

possible

for

users

not

specifically

defined

OpenEdition

 

MVS

 

us

make use of OpenEdition services.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

With

this

release,

OpenEdition

 

sockets

are

the

primary

socket

interfac

this support, RACF provides the ability to

define

default

OpenEdition

i

setting a system-wide option.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Previously, to use OpenEdition services,

 

you

needed

to

have

a

 

RACF

USER

with an OMVS segment containing

 

a

UID

and

a current connect group that

GROUP profile with an OMVS segment containing a GID. If these

were

n

available, the initUSP service failed and

the

process

could

not

 

use

O

services.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now,

if

no

OMVS

segment

is

found

in

the

USER

profile

during

initUSP

proc

the default OMVS segment is

used.

If

 

the

default is

found,

it

is

u

HOME, and PROGRAM values for the user. If

no default value is found,

initUSP

fails

with

the

existing

RACF

return

code

of

8

and

reason

code

The same processing is done for the user's

current

connect

group.

If

segment is found in the GROUP

 

profile,

the

default

is

used.

 

If

no

found,

the

initUSP

fails with

 

the

existing

RACF

return

code

of

8

and

8.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

After a default UID, GID,

 

or

both

are

assigned,

initUSP

processing

user is connected to additional RACF groups and

 

list-of-groups

processing

active, the supplemental group list is built using

the

GIDs

of

these

groups. No default processing occurs while

the

supplemental

group

 

list

i

When initUSP assigns a default UID, GID,

or

both,

it

sets

a

bit

in

indicate that it is a default USP. This

bit

causes an

additional

rel

added

to

any

SMF

TYPE80

records

written

 

by

RACF

callable

services

 

for

t

6 OS/390 V2R4.0 Security

Server (RACF)

Planning:

Installation

and

Migration

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The

 

getUMAP

 

and

getGMAP

services

also look for default values. If ge

given

a

 

UID

as

input

and

 

the

corresponding USER profile has no OMVS

the

caller

 

of the

getUMAP service receives the default. If no de

RACF

 

return

 

code

 

8,

reason

code

4

are

returned

by

 

the

getUMAP

 

ser

is

passed

 

to

getUMAP,

then

 

it

returns

a

user ID,

which

is

likely t

of

the

 

default

 

user.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Similarly,

if

getGMAP

is

given

 

a

GID

as

input

and

the

corresponding

G

has

 

no

OMVS

 

segment,

the

caller

of the getGMAP service receives the

no

default

 

value

 

is

found,

 

RACF

return code 8, reason code 4 are r

getGMAP

service.

If

a

GID

 

is

passed

to

getGMAP, it

returns

a

group

is

likely

to

return

the

group

name

of

the default

group.

 

 

 

The default OMVS segments reside in a

USER profile and a GROUP pro

installation

selects

the

names

of

these

profiles, using a profile in

class. The name of the FACILITY class profile is BPX.DEFAULT.USER. The

application

data

field

contains

the user ID and the

group

name.

The

the user ID specified contains the UID, and the group profile f

specified

contains

the

GID.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In

order

to

use

this

default

USER/GROUP support, the following need

Ÿ

Make

the

FACILITY

class

active.

 

 

 

 

 

 

 

 

 

 

 

Ÿ

Define

BPX.DEFAULT.USER

with

APPLDATA(' uuuu/gggg')

whereuuuu

 

 

 

 

 

specifies a default user ID

of 1gggg-8 charactersspecifie

 

anddefault

group

 

name

of

 

1-8 characters. The

USERuuuu profileneeds

to

have

 

an

OMVS

 

 

 

 

segment

with

the

default

 

UID,

HOME,

and PROGRAM. The GROUP profil

 

gggg

 

needs

to

have

an

OMVS

segment giving the default GID.

 

 

Ÿ

If

only

 

default

user

information

is

needed,uuuuuse'). APPLDATA ('

 

 

The processing of the default

OMVS segments for the user and the c

connection group are independent of each other. The OMVS segment of

specified

on the initUSP may be

used

to obtain the UID, and the

from

the

group

ID

specified in the FACILITY class profile. Similarly,

default

 

UID

found

through the user ID specified

 

in the

FACILITY

used, the GID may come from the user's current connect group. Also

specified in the FACILITY class profile does not need to be a mem

specified

in

that

profile.

 

These

values

are

used

independently.

 

Run-Time Library Services

The Run-Time Library Services (RTLS) of OS/390 introduce new contents

supervisor support

to facilitate

the

binding

of applications to a sp

run-time

environment

defined

on an

installation

basis. System

programmers

use FACILITY class profiles and RACF's program

control when there is a

control

access to

run-time

libraries

and the

programs that

use the r

Password History Enhancements

The

password

history

enhancement

makes it easier for installations to

users

from circumventing

password

history security policy. The old

pa

saved

in the

password

history

list when a password is reset by an

The

following

commands

have been

modified to

save the

old password

w

the

password

is reset:

 

 

 

 

 

 

 

 

 

 

 

Chapter

2. Release

Overview7

 

Ÿ

The

ALTUSER command

allows

an

administrator

to

reset a user's

password

 

a

temporary

password

or

a

default

value.

This

command is

modified

 

old

password

whenever

the

password

is

reset.

 

 

 

Ÿ

The

PASSWORD

USER

( userid) command provides users and administrators

 

with a

password

reset function. This command is

modified

to

save t

 

password

whenever

the

password is

reset.

 

 

 

 

Tivoli

Management

Environment

 

(TME)

10

Global

Enterprise

 

 

 

 

Management

User

Administration

Service

 

 

 

 

 

 

 

 

 

 

The Tivoli Management Environment (TME) 10 Global Enterprise Manager User

 

 

Administration Service provides the ability to manage UNIX, Windows NT,

 

 

NetWare,

and

RACF

accounts

from a

single,

common

interface

(either

graph

 

 

command line).

The

RACF support for this, which was provided by APARs

 

 

OW23445

and

OW23446,

includes:

 

 

 

 

 

 

 

The TMEADMIN

class,

which is

used

to map

a TME

administrator

to a

RACF u

 

 

ID.

 

 

 

 

 

 

 

 

 

 

 

 

 

Callable

services

to:

 

 

 

 

 

 

 

Ÿ Derive a session key from a previously generated RACF PassTicket. Th

Management

Region

(TMR) TCP/IP

server uses

such session

keys

to encry

and decrypt administrative

data

that flows between the TMR

server

OS/390.

 

 

 

 

 

 

 

Ÿ Convey RACF administrative changes

to RACF. The new R_Admin callable

service

provides

a function-code

driven

parameter list

with

data fi

of name-value pairs. This name-value pair support is used by the TME administration service to add or update the following RACF user prof information:

– BASE profile

information

 

 

 

 

 

OMVS segment

 

 

 

 

 

 

 

NETVIEW segment

 

 

 

 

 

 

TSO segment

 

 

 

 

 

 

 

CICS segment

 

 

 

 

 

 

 

In addition to the above, the R_Admin callable

service

provides

a ru

function

in

which

most RACF

TSO

commands

may be executed.

 

Changes

to

the RACF TSO command ALTUSER.

The NOCLAUTH key will now

 

accept

an

asterisk ('*')

to

indicate

removal of

all of

the user's

CLAUT

Program

Control

by System

ID

 

 

 

 

 

 

 

 

 

 

 

 

 

RACF provides a means to restrict access to a program based on the

 

 

identifier (SMFID). This additional program control by system ID improves

 

 

management and usability of program products in a sysplex environment. It

 

 

eliminates error-prone manual procedures, the need to keep

DASD that

is

 

 

shared,

and

the potential savings

on

licensing

fees

by controlling

which

 

 

a sysplex the licensed software

may

execute

on.

Previously many

custo

 

 

complied

with

licensing agreements

by

paying

for

ALL

system

that

the

so

 

 

COULD

run

on

because

there

was

no easy way to restrict access to

8 OS/390

V2R4.0

Security

Server (RACF) Planning:

Installation

and

Migration

 

 

 

 

 

 

system. This support provides a solution

to

many

customers

that find

such

a

situation.

 

 

 

 

 

 

 

 

 

 

 

The PERMIT command has a

new keyword to add users and groups to th

conditional access list, WHEN(SYSID(...)). This keyword is

allowed

only

PROGRAM class. WHEN(SYSID(...)) is similar to the existing keywords

 

 

WHEN(TERMINAL(...)), WHEN(PROGRAM(...)), and WHEN(JESINPUT(...)). No

 

 

class

is

associated

with

SYSID. In addition, no check is made

to d

the

value specified

for

SYSID

is

valid.

 

 

 

 

 

 

A new error message is

issued

if

WHEN(SYSID(...))

is specified

 

for

than

PROGRAM.

When copying

a conditional

access list

from

a PROGRAM

pro

to a non-PROGRAM profile, WHEN(SYSID(...)) entries are not copied. No

messages

are

issued

if

this is the case. This applies

to ADDSD

FRO

FROM,

RACROUTE

REQUEST=DEFINE

with

modeling,

and

PERMIT

FROM.

 

 

 

New FMID

OS/390

Release

4

Security

Server

(RACF)

has

a

new

FMID,

HRF2240.

Altho

RACF, as a component of the OS/390

 

Security

Server,

no

longer

has

a

ve

release, and

modification

level

of

its

own,

for compatibility

with

pr

and

releases

of

RACF

the

new

FMID

is treated as if it represented

The RCVT contains the value 2040 to

identify the RACF level. The ICHEI

ICHEACTN, and ICHETEST macros

accept

the

keyword

RELEASE=2.4,

although

 

 

they

support

no

new

keywords

that

would require

the

RELEASE=2.4

keywo

OW24966 Enhancements to

TARGET

Command

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The

RACF TARGET command now accepts the new keyword WDSQUAL

to

 

allow

 

allocation of the work space data sets when the system name starts

character. This keyword indicates that the variable that follows is

qualifier

used

by

RRSF

for the workspace data set qualifier

names

 

and

OUTMSG queues for the local RRSF node defined

by

the

TARGET comm

WDSQUAL

cannot

be

used

for

a

remote

node.

 

 

 

 

 

 

 

 

 

The

format

for

the

 

qualifiedprefixname.wdsqualis .

ds_.identitywdsqual

can

be

 

 

 

 

from

1

to

8

characters

long beginning with an alphabetic

character.

 

are

not

accepted.

The

formation

of

the

workspace

data

 

set

 

names

c

until

the data sets are allocated. Specifying WDSQUAL on

 

another

TARGET

command after its node has become dormant or operative is not allowe

Specifying

of

 

WDSQUAL

on

the same command is allowed.

 

 

 

 

 

 

 

If

you

have

 

any

TARGET

commands in your IRROPTxx RACF parameter

libra

member that specify the WORKSPACE keyword abbreviated to

a

W,

you

 

increase the

length

 

of

that

 

keyword

to

at

least WO

so

it

is

not

 

WDSQUAL

keyword

which

is

now

represented

as

W. It

 

is

recommended

t

use

of abbreviations be avoided in clists, REXX execs,

and

parmlib

If

WDSQUAL is not specified, the previously used

format

for

the

d

used. Thisprefixis .sysname.INMSG and

prefix.sysname.OUTMSG.

 

 

 

 

 

 

 

 

For

more information on the TARGET

command,OS/390seeSecurity

 

Server

 

 

 

 

(RACF) Command Language

 

Reference.

 

 

 

 

 

 

 

 

 

 

 

 

Chapter 2. Release Overview9

Enable/Disable Changes

OS/390 Version 2 Release 4 has a new

product ID that affects the

function

in

all of

its elements

including

the Security Server. The ID()

the IFAPRDxx parmlib member needs to be "5647-A01". The remainder of th

parameters

remain

the same. Without this necessary

change

to

the ID(

the Security Server will not initialize.

In

order to

keep

from

making c

future, you can use the value ID(*).

For

moreOS/390 information,Security

see

Server

(RACF)

System

Programmer's

Guide.

 

 

 

 

 

OW26237 Enhancements of

Global

Access

Checking

 

 

 

 

This enhancement allows RACROUTE REQUEST=AUTH processing to use

global

 

access checking

for

general

resource classes regardless of whether o

class has been RACLISTed by either SETROPTS RACLIST or RACROUTE

 

 

REQUEST=LIST. Authorization checking using RACROUTE REQUEST=AUTH

 

 

 

searches

the

global

access

checking table for a matching

entry,

ignori

the

class. If

no global access checking table entry matches

the

sea

access specified in the entry is less than the access

being reques

searches

for

a

matching profile in the class. With this

release

of

Server (RACF), this processing occurs regardless of whether

or

not

the

RACLISTed

using

SETROPTS

RACLIST

or RACROUTE REQUEST=LIST.

 

 

 

10 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter

3. Summary

of

Changes to

RACF

Components for

 

 

OS/390

Release 4

 

 

 

 

 

 

 

This chapter summarizes the new and changed components

of OS/390

Rele

 

Security Server (RACF). It

includes the following summary

charts

for c

 

the RACF:

 

 

 

 

 

 

Ÿ

Callable Services

 

 

 

 

 

Ÿ

Class

descriptor

table

(CDT)

 

 

 

Ÿ

Commands

 

 

 

 

 

Ÿ

Data Areas

 

 

 

 

 

Ÿ

Exits

 

 

 

 

 

 

Ÿ

Macros

 

 

 

 

 

 

Ÿ

Messages

 

 

 

 

 

Ÿ

Panels

 

 

 

 

 

 

Ÿ

SYS1.SAMPLIB

 

 

 

 

 

Ÿ

Publications Library

 

 

 

Callable Services

Figure 1 lists a new callable service. This callable service is a PSP

interface,

which means that it is not

intended for use in customer

programs, but rather for use by

other IBM

components or vendor prog

 

 

 

 

 

 

 

 

Figure 1.

New Callable Services

 

 

 

 

 

 

 

 

 

 

 

 

 

Callable

 

 

 

 

 

 

 

Service

 

 

 

 

 

 

 

Name

 

Description

 

 

 

Support

 

 

 

 

 

 

 

R_admin

 

The R_admin service enables

applications

TMEto 10

 

 

 

manage RACF user profiles within the RACF

 

 

 

database.This service accepts either a function

 

 

 

code-driven parameter list with data fields

 

 

 

consisting of name-value

pairs

or a

preconstructed

 

 

 

RACF TSO command to be executed. R_admin

 

 

 

does NOT include the following RACF commands:

 

 

 

BLKUPD, RVARY, RACLINK. It also does NOT

 

 

 

include RACF operator commands such as

 

 

 

DISPLAY, RESTART, SET, SIGNOFF, STOP, and

 

 

 

 

 

TARGET.

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright IBM Corp. 1994, 1997

11

Figure 2.

Changed Callable Services

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Callable

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Service

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Name

 

Description

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Support

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

initUSP

 

Ÿ

If

no

 

OMVS

 

segment

is

found

in

the

 

user'sDefault

 

 

 

 

 

profile, the initUSP service checks

theUSER/GROUP

 

 

 

 

BPX.DEFAULT.USER profile in the FACILITYOMVS

 

 

 

 

 

 

class. This profile may contain a userSegmentID in its

 

 

 

application

data

field

that

provides

a

default

 

 

 

OMVS

segment.

If

this

default is found, it is

 

 

 

used to set the UID,

HOME, and

PROGRAM

 

 

 

 

 

 

for

the

user.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Ÿ If

no OMVS segment is

found

in

the

group

 

 

 

 

 

profile

 

of

 

the

user's

current

connect group,

the

 

 

 

initUSP

 

service

checks

the

 

 

 

 

 

 

 

 

 

 

 

BPX.DEFAULT.USER profile in the FACILITY

 

 

 

 

 

 

class.

This

 

profile

may

contain

a

group

ID

in

 

 

 

the

application

data field

that

provides a

default

 

 

 

OMVS

segment.

If

this

default

is

found,

it

is

 

 

 

used

to

set the GID

for

the

user.

 

 

 

 

 

Ÿ

If

any

 

defaults

are

used by initUSP, a bit is set

 

 

 

in the resulting USP to

indicate that this is the

 

 

 

default Open Edition security environment. Any

 

 

 

 

 

audit records written by subsequent RACF

 

 

 

 

 

 

callable

 

services

reflect

this.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

getGMAP

 

Ÿ

If

getGMAP

is

given

a

group ID as Defaultinputand

 

 

 

the

corresponding

GROUP

profile

has

noUSER/GROUP

 

 

 

OMVS segment, getGMAP checks the

 

 

 

OMVS

 

 

 

 

 

 

BPX.DEFAULT.USER profile in the FACILITYSegment

 

 

 

 

 

class. This profile may contain a group ID in its

 

 

 

application

data

field

that

provides

a

default

 

 

 

OMVS

segment.

If

this

default

is

found,

its

GID

 

 

 

is

returned to the issuer of getGMAP.

 

 

 

 

 

 

 

 

getUMAP

 

Ÿ If

getUMAP is given a user ID as Defaultinputand the

 

 

 

corresponding

USER

profile

has

no

OMVS USER/GROUP

 

 

 

segment,

 

getUMAP

checks

the

 

 

 

 

OMVS

 

 

 

 

 

 

BPX.DEFAULT.USER profile in the FACILITYSegment

 

 

 

 

 

class. This profile may contain a user ID in its

 

 

 

application

data

field

that

provides

a

default

 

 

 

OMVS

segment.

If

this

default

is

found,

its

UID

 

 

 

is

returned

 

to

the

issuer

of

getUMAP.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Class Descriptor Table (CDT)

Figure 3 lists new classes provided in the IBM-supplied class descripto

(ICHRRCDX). The class

names are general-use programming interfaces (GUPI

ICHEINTY

and RACROUTE.

There is a

set of

entries corresponding to the

classes

added in the

IBM-supplied

router

tables.

12 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Figure 3.

New Classes

 

 

 

 

 

 

 

 

 

Name

 

Description

 

 

Support

 

 

 

 

 

 

DSNADM

 

DB2 administrative

authority

class

DB2

 

 

 

 

GDSNBP

 

Grouping class for buffer pool privileges

DB2

 

 

 

 

GDSNCL

 

Grouping class for collection privileges

DB2

 

 

 

 

GDSNDB

 

Grouping class for database privileges

DB2

 

 

 

 

GDSNPK

 

Grouping class for package privileges

DB2

 

 

 

 

GDSNPN

 

Grouping class for plan privileges

DB2

 

 

 

 

GDSNSG

 

Grouping class for storage group privileges

DB2

 

 

 

 

GDSNSM

 

Grouping class for system privileges

DB2

 

 

 

 

GDSNTB

 

Grouping class for table, index, or view privilegesDB2

 

 

 

 

GDSNTS

 

Grouping class for tablespace privileges

DB2

 

 

 

 

MDSNBP

 

Member class for buffer pool privileges

DB2

 

 

 

 

MDSNCL

 

Member class for collection privileges

DB2

 

 

 

 

MDSNDB

 

Member class for database privileges

DB2

 

 

 

 

MDSNPK

 

Member class for package privileges

DB2

 

 

 

 

MDSNPN

 

Member class for plan privileges

DB2

 

 

 

 

MDSNSG

 

Member class for storage group privileges

DB2

 

 

 

 

MDSNSM

 

Member class for system privileges

DB2

 

 

 

 

MDSNTB

 

Member class for

table, index, or view privilegesDB2

 

 

 

 

MDSNTS

 

Member class for tablespace privileges

DB2

 

 

 

 

TMEADMIN

 

Maps the TME administrator's user ID and Tivoli

TME 10

 

 

Management Region

(TMR) to a

RACF user ID

 

 

 

 

 

 

 

Commands

Figure 4

lists the changes to RACF commands for OS/390 Release 4.

For more

information on these commands,OS/390seeS curity Server (RACF)

Command Language

Reference.

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure

4 (Page

1

of 3).

Changes to RACF Commands

 

 

 

 

 

 

 

 

 

 

 

Command

 

Description

 

 

 

Support

 

 

 

 

 

 

 

ALTUSER

 

The ALTUSER command and the PASSWORD

 

Password

 

PASSWORD

 

command

are modified to save the

old

passwordHistory in

 

 

 

the password

history list,whether

reset

Enhancementsbythe user

 

 

or an administrator. For more information

on the

 

 

ALTUSER and PASSWORD commands, see

 

 

 

 

 

OS/390 Security Server (RACF) Command

 

 

 

 

 

Language

Reference.

 

 

 

 

 

 

 

 

 

 

 

 

Chapter 3. Summary of Changes to RACF Components for OS/390 13Release 4

Figure 4

(Page

2

of

 

3).

Changes to RACF Commands

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Command

 

Description

 

 

 

 

 

 

 

 

 

 

 

Support

 

 

 

 

 

 

 

 

 

 

ALTUSER

 

This

command

supports

the

removal

of

all

TMEof 10the

 

 

user's

CLAUTH authorities

by

using

NOCLAUTH(*).

 

 

For more information on the ALTUSER NOCLAUTH

 

 

 

keywords, seeOS/390 Security Server (RACF)

 

 

 

Command

Language

Reference.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

PERMIT

 

The

PERMIT

 

command

allows

 

the

keywords

Program

 

 

WHEN(SYSID(

system-identifier...)). This

specifiescontrol by

 

 

that the indicated users or groups haveSYSIDthe

 

 

specified access authority when loading this

 

 

controlled program on the specified system.

 

 

system-identifieris the 4-character value specified

 

 

for

the

system identifier (SID) parameter of the

 

 

SMFPRMxx

member

of

PARMLIB.

 

 

 

 

 

 

WHEN(SYSID( system-identifier)) can be used only

 

 

for

resources

in

the

PROGRAM classOS/390. See

 

 

 

MVS Initialization and Tuning Refeforence

 

 

 

additional

 

information

on

 

SMFPRMxx.

 

 

 

 

 

For

more

information

on

the PERMIT

command,

 

 

 

seeOS/390 Security Server (RACF) Command

 

 

 

Language Reference.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

14 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Figure 4

(Page

3

of

3).

 

Changes to RACF Commands

 

 

 

 

 

 

 

Command

Description

 

 

 

 

 

 

 

 

 

 

 

 

 

Support

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TARGET

The

new

 

keyword

 

WDSQUAL

is

 

added

to

theOW24966

 

 

 

 

RACF TARGET command to indicate that the

 

 

 

 

 

 

variable that follows will be used

by RRSF

as

the

 

middle

qualifier

 

for

the

work

space

data

set

names

 

of

the

 

INMSG

and

OUTMSG

queues

for

the

local

 

 

 

 

RRSF node defined by the TARGET command.

 

 

 

 

 

 

WDSQUAL

cannot

be

used

for

a

remote

node.

 

 

 

 

 

The format for the qualifier name is

 

 

 

 

 

 

 

prefix.wdsqual.ds_identity. wdsqual can

be

from

1

 

 

 

 

 

to 8 characters long beginning with an alphabetic

 

character.

Initial

numerals

are

not

accepted.

The

 

formation of the workspace data set names can be

 

changed until the data sets are allocated. This

 

normally occurs when a DORMANT or OPERATIVE

 

 

 

 

 

 

keyword is processed. After that keyword is

 

 

 

 

processed, the data set names cannot be changed.

 

Concerning

TARGET

nodename

OPERATIVE

 

 

 

 

 

 

 

 

 

WDSQUAL(xxx) , RACF processes the

 

 

 

 

 

 

 

 

OPERATIVE keyword after the WDQUAL

keyword,

 

 

 

 

 

even though the user specified them in the reverse

 

order.

The

keyword

WDSQUAL

 

works until

RACF

 

 

 

 

 

has processed a TARGET command specifying

 

 

 

 

 

 

DORMANT or

OPERATIVE

for

that

node.

 

 

 

 

 

 

 

 

This

enhancement

allows

operators

to

set

one

or

 

 

 

more work space data sets for

local

node

names,

 

which can be used when they are working with

 

 

 

multisystem RRSF nodes, especially in a sysplex

 

 

 

 

environment.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you have any TARGET commands in your

 

 

 

 

 

 

IRROPTxx RACF parameter library member that

 

 

 

 

 

specify

the

WORKSPACE

 

keyword

abbreviated to

a

 

 

 

W,

you

 

need

to

increase

the

length

of

that

 

keyword

 

to at least WO so it is not

mistaken

for

the

new

 

WDSQUAL

keyword

which

is now

represented

as

 

 

 

 

W.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If WDSQUAL is not specified,

the

previously

used

 

format for the data set names is used. This is

 

prefix.sysname.INMSG

 

and

 

 

 

 

 

 

 

 

 

 

 

 

 

 

prefix.sysname.OUTMSG.

 

 

 

 

 

 

 

 

 

 

 

 

 

For more information on the TARGET command, seeOS/390 Security Server (RACF) Command Language Reference.

Data Areas

Figure 5 lists changed product-sensitive programming interface (PSPI) dat for RACF.

Chapter 3. Summary of Changes to RACF Components for OS/390 15Release 4

Figure 5.

Changes to PSPI Data Areas

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Data Area

 

Description

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Support

 

 

 

 

 

 

 

 

 

 

 

AFC

 

This data area maps the

 

contents

for

 

theAuditabilityOpen

of

 

 

Edition MVS security audit function codessuper.An audituser

 

 

 

function

code

has

been

added

to auditrequwhensts.

 

 

 

ck_priv is called from OpenEdition_spawn

 

 

 

 

 

 

 

 

(BPX1SPN).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

COMP

 

This data area maps the

 

common

SAF/RACF

 

 

TME

10

GEM

 

 

 

parameter list for Open Edition MVS securityuser

 

 

 

 

functions. A new 24-byte DSECT ADMN has beenadministration

 

 

 

added.

It

includes

addresses

of the forfunctionOS/390-specific

 

 

parameter

list

structure,

 

of the RACF user ID under

 

 

whose authority the service executes, of a fullword

 

 

containing the ACEE address under which this

 

 

 

 

 

service executes, of a caller-supplied area

 

 

 

 

containing

the

subpool

in

which

output

messages

 

 

 

 

are

obtained,

and

of a

 

fullword

containing

a

pointer

 

 

to the RACF command output.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FAST

 

FASTPLEN,

FASTPVER,

FASTALET,

and

 

 

 

 

 

 

 

DB2

 

 

 

 

 

FASTLOGS

have

been

added.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FC

 

This data area maps the

 

Open

Edition

 

MVSTME

10

GEM

 

 

 

security

function

codes.

 

A

new

constant

user

 

 

 

 

IRRSEQ00#

has

been

added

 

for

function

coadeministration39 -

 

 

 

R_admin.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

for

OS/390

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RCVT

 

The

RACF

level

in

this

data

area

has

 

beenNew

FMIDupdated

 

 

 

to 2040, to reflect the

 

new FMID,

HRF2240.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RFXP

 

RFXPLEN,

RFXPVERS,

RFXALET,

and

 

RFXLOGS

 

 

 

DB2

 

 

 

 

 

have

 

been

added.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SAFP

 

This

data

area

 

has

been

 

updated

to

 

 

rNeflectwFMID the

new

 

 

RACF

FMID,

HRF2240.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Exits

Because two new keywords, ACEEALET and LOGSTR,

were

added

to

 

 

RACROUTE REQUEST=FASTAUTH, there are changes

to

exit

processing.

 

 

When the ACEEALET keyword is specified on the RACROUTE

 

 

 

 

REQUEST=FASTAUTH

macro,

the

ACEE must be accessed using the ALET in the

 

RFXALET field of the RFXP

parameter

list.

In

all

other

cases,

the

ACEE

accessed

in

the

current

HOME address space. For cross-memory callers,

means

the

ACEE must be accessed using

an

ALET

of

2.

 

 

 

 

When

the

ACEEALET=

keyword

is

specified,

the

sequence

of

exit,

authori

and

audit

processing

is

the

same

as

the

sequence

for

cross-memory

re

sequence

is:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ŸICHRFX03

ŸAuthorization processing

ŸICHRFX04

ŸAudit processing

16 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

RFXALET and RFXLOGS correspond to new fields in the RACROUTE REQUEST=FASTAUTH parameter list. These fields only exist in parameter li created with RELEASE=2.4 or higher. Therefore, these fields must only accessed when the RFXPVERS indicates Release 2.4 or higher.

Macros

Figure 6

lists changes

to

executable

macros for

OS/390

Release 4. Th

your information;

there

is

no reason

to modify any

existing

programs

new release level. These changes are general-use

programming

interface

 

 

 

 

 

 

 

 

 

Figure

6. Changed Executable Macros

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Macro

 

Description

 

 

 

 

Support

 

 

 

 

 

 

 

 

 

 

ICHEACTN

 

These macros accept the new RELEASE=2.4

 

New

FMID

 

ICHEINTY

 

keyword.

 

 

 

 

 

 

 

 

ICHETEST

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACROUTE

 

REQUEST=FASTAUTH allows the following to be

 

Authorization

 

 

 

specified:

 

 

 

support

for

 

 

 

Ÿ

LOGSTR=

parameter

 

 

DB2

 

 

 

 

 

 

 

 

 

 

 

 

 

Ÿ

Message

suppression (MSGSUPP=YES)

 

 

 

 

 

 

 

Ÿ

ACEEALET=

alet_addr parameter

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Messages

The

messages that have been added or changed in

RACF

for

OS/390 Re

are

listed below. Compare the message identifiers

and

the

correspon

text with any automated operations procedures your installation uses whether updates are required.

New Messages

The following messages are added:

PERMIT

Command

Messages

ICH06021I

 

RACF/DB2

External Security

Module Messages:

IRR900A, IRR901A, IRR902A,

IRR903A, IRR904I, IRR905I, IRR906I, IRR907I, IRR908I, IRR909I, IRR9

IRR911I

 

 

 

TARGET

Command

Messages:

IRRM055I,

IRRM056I

Changed Messages

The following messages are changed:

RACF Initialization Messages: ICH502I, ICH506I, ICH518I, ICH556I

PERMIT

Command

Messages:

ICH06018I

RDEFINE

Command

Messages:

ICH10302I

Chapter 3. Summary of Changes to RACF Components for OS/390 17Release 4

RALTER

Command

Messages:

ICH11304I

SETROPTS Command

Messages:

ICH14042I

RACF

Manager Error Messages:

ICH51011I

RACF

Processing

Messages:

IRR410I

RACF Utility Messages: IRR67032I, IRR67034I, IRR67124I, IRR67153I,

IRR67183I

RRSF Enveloping Messages: IRRV002I, IRRV005I, IRRV013I, IRRV014I

RACF Operational Modes and Coupling Facility Messages:

IRRX013A

Deleted Messages

The following messages have been deleted:

ICH401I, ICH402I, ICH403I, ICH404I, ICH405I, ICH406I, ICH407I, ICH41 ICH413I, ICH536I, ICH543I, ICH547I, ICH548I, ICH61000I, ICH61001I, ICH ICH61003I, ICH61004I, ICH61006I, ICH61007I, ICH62001I, ICH62002I, ICH62003I ICH62004I, ICH62007I, ICH62008I, ICH62009I, ICH62010I, ICH62012I, ICH62014 ICH62015I, ICH62017I, ICH62018I, ICH62019I, ICH62021I, ICH62022I, ICH630 ICH63002I, ICH63003I, ICH63004I, ICH63005I, ICH63006I, ICH63007I, ICH63008I, ICH63009I, ICH63010I, ICH63011I, ICH63012I, ICH63013I, ICH63014I, ICH63 ICH63016I, ICH63017I, ICH63018I, ICH63019I, ICH63020I, ICH63021I, ICH6302 ICH63023I, ICH63024I, ICH63025I, ICH63026I, ICH63027A, ICH65001I, ICH65002I, ICH65003I, ICH65004I, ICH65005I, ICH65006I, ICH65007I, ICH65008I, ICH65009I, ICH65010I, ICH65011I, ICH65012I, ICH65013I, ICH65014I, ICH65015I, ICH65016I, ICH65017I, ICH65018I, ICH65019I, ICH65020I, ICH65021I, ICH65022I, ICH65023I, ICH65024I, ICH65025I, ICH65026I, ICH8000, ICH8001, ICH8002,

ICH8003, ICH8004, ICH8005, ICH8006, ICH8007, ICH8008, ICH8009, ICH8010, ICH8011, ICH8012, ICH8013, ICH8014, ICH8015, ICH8016, ICH10316I, ICH36001I, IRR67098I

Panels

Figure 7 lists new RACF panels. Figure 8 on page 19 lists RACF panels that changed.

18 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Figure

7.

New Panels for RACF

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Panel

 

 

 

Description

 

 

 

 

 

 

 

 

 

 

 

 

Support

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ICHP241n

 

 

This

panel

enables

you

to

add

an

entry

forProgramthe control

by

system

 

ID

 

 

 

 

conditional access list and to identify

the access

 

 

 

 

 

 

 

 

authority

for it.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ICHP242n

 

 

This

panel

enables

you

to

remove

an

 

entry

Programfrom thecontrol

by

system

 

ID

 

 

 

 

conditional

 

access list and to identify

the access list

 

 

 

 

 

 

 

from

which

 

conditions are to be removed

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ICHH241n

 

 

This

panel

allows

you to

specify

the

 

systemProgramidentifierscontrol by

system

 

ID

 

 

 

 

(SMFIDs)

of

 

the

systems

from

which

users

may

use

 

 

 

 

 

 

 

 

the resources protected by the profile.

Each system

 

 

 

 

 

 

 

 

identifier is a 4-characters string.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ICHH242n

 

 

This

panel

allows you to specify the

systemProgramidentifierscontrol by system

ID

 

 

 

 

(SMFIDs) of the systems to be removed

from the

 

 

 

 

 

 

 

 

specified entries in the conditional access list. Each

 

 

 

 

 

 

 

 

system

identifier

is a 4-character string.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ICHnnnn

 

 

 

This

panel

enables

you

to

specify

identifiersProgram (SMFIDs)control

by

system

 

ID

 

 

 

 

of the system from which

users may use the resources

 

 

 

 

 

 

 

that

are

being

protected.

Each

 

system

identifier is

a

 

 

 

 

 

 

 

4-character

string.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ICHHnnnn

 

 

 

This

panel

enables

you

to

specify

identifiersProgram (SMFIDs)control

by

system

 

ID

 

 

 

 

of

the

system

to

be removed from the specified entries

 

 

 

 

 

 

 

in

the

conditional

access

list.

Each

 

system identifier

is

 

 

 

 

 

 

 

a 4-character string.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure

8.

Changed Panels for RACF

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Panel

 

 

 

Description

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Support

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ICHP241C

 

 

These

panels

contain

changes needed to add or

removeProgramlistcontrol by

 

ICHP242A

 

 

entries

related

to

conditional

access

lists.

 

system

ID

 

 

 

ICHH241C

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SYS1.SAMPLIB

 

Figure 9 identifies

change to

the RACF member of SYS1.SAMPLIB.

 

 

 

 

 

 

 

Figure 9.

Change to SYS1.SAMPLIB

 

 

 

 

 

 

 

 

 

 

 

Member

 

Description

 

 

Support

 

 

 

 

 

 

 

 

IRR@XACS

 

This member

is shipped

to

provideAuthorization support for DB2

 

 

sample RACF authorization

check

 

 

 

external security module.

 

 

 

 

 

 

 

 

Chapter 3. Summary of Changes to RACF Components for OS/390 19Release 4

Publications Library

Figure 10 lists changes to the OS/390 Security Server (RACF) publications

Figure

10. Changes to the RACF Publications Library

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Publication

 

 

 

 

Change

 

 

 

 

 

 

 

 

 

 

 

 

OS/390

Security

Server

(RACF)

Callable Services

This

publication is

 

 

 

 

 

 

available

only

in

 

 

 

 

 

 

softcopy.

 

 

 

 

 

 

 

 

 

 

 

OS/390

Security

Server

(RACF)

Data Areas

This

is

no longer

a

 

 

 

 

 

licensed

publication.

 

 

 

 

 

 

Its

new

form

number

 

 

 

 

 

is

SY27-2640-03.

 

 

 

 

 

 

 

 

 

 

 

 

Note:

You are able to print the softcopy documentation, either in its simply portions of it.

20 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 4. Planning Considerations

This chapter describes the following high-level planning considerations f

customers

upgrading

to OS/390

Release 4 Security Server (RACF) from OS/

Release

3 Security

Server

(RACF):

ŸMigration strategy

ŸMigration paths

ŸHardware requirements

ŸCompatibility

Migration Strategy

The

recommended

steps

for

migrating

to

a new release of RACF are:

1. Become

familiar

with the

release

documentation.

 

2.

Develop

a

migration

plan

for your

installation.

 

3.

Install

the

product

using

the

program directory

shipped with OS/3

4.

Use the

new release

before

initializing major

new function.

5. Customize

the

new

function

for

your

installation.

 

6. Exercise

the

new

function.

 

 

 

 

 

Migration Paths for

OS/390

Release

4

Security

Server

(RACF)

 

 

 

 

 

 

 

 

Ÿ

From

OS/390

Release

3

Security

Server

(RACF)

 

 

 

 

 

 

 

 

If

you

 

are

an

OS/390

Release

3 Security Server (RACF) customer,

 

migrate to OS/390 Release 4 Security

Server

(RACF)

if

you

meet

th

 

release

 

requirements.

 

 

 

 

 

 

 

 

 

 

 

 

Ÿ

From

OS/390

Release

2

Security

Server

(RACF)

 

 

 

 

 

 

 

 

If

you

 

are

an

OS/390

Release

2 Security Server (RACF) customer,

 

migrate to OS/390 Release 4 Security

Server (RACF) if you meet th

 

release

 

requirements.

You shouldOS/390also Securityread

Server

(RACF

 

 

 

Planning:

Installation

and

 

Migrationfor

Release 3.

 

 

 

 

 

 

 

Ÿ

From

OS/390

Release

1

Security

Server

(RACF)

or

RACF

2.2

 

 

 

 

If

you

 

are

an

OS/390

Release

1

Security

Server

(RACF)

or

RACF

2.

 

customer,

you can migrate to OS/390 Release

4

Security

Server

(RA

 

meet

the

OS/390

release

requirements.

(OS/390 Release

1

Security

 

(RACF)

and

RACF

2.2

are

functionally

equivalent.)

In

addition

to

thi

 

should

read:

 

 

 

 

 

 

 

 

 

OS/390

Security

Server

(RACF)

Planning:

Installation

and forMigration

 

 

OS/390

Release 2 (GC28-1920-01) and Release 3 (GC28-1920-02)

Ÿ

From

RACF

1.9.2

or

RACF

2.1

 

 

 

 

 

If

you

are a RACF 1.9.2 or

2.1 customer,

you

can migrate to

 

Security

Server

(RACF)

if

you

meet the OS/390 release requirements.

 

have

RACF

2.1 installed, in addition to this book, you should read

 

OS/390

Security

Server

(RACF)

Planning:

Installation

and forMigration

 

 

OS/390

Release

2 (GC28-1920-01) and

Release

3

(GC28-1920-02), and

Copyright IBM Corp.

1994,

1997

 

 

 

 

 

 

 

 

21

OS/390

Security Server (RACF) Planning:

Installation

and forMigration

 

OS/390 Release 1.(GC28-1920-00)

 

 

 

If

you

have

RACF

1.9.2

installed,

in

addition to this book, you sh

OS/390

Security Server (RACF) Planning:

Installation

and forMigration

 

OS/390

Release

2, (GC28-1920-01)

and

Release 3 (GC28-1920-02)

OS/390

Security Server (RACF) Planning:

Installation

and forMigration

 

OS/390

Release

1(GC28-1920-00)

 

 

 

RACF Planning:

Installation

and Migrationfor

RACF 2.1

(GT00-9241-00)

Ÿ From

 

RACF

1.9

 

 

 

 

 

 

 

 

 

 

 

 

If

 

you

are a

RACF

1.9

customer,

you

can

migrate

to

OS/390

Release

Security

Server

(RACF)

if

you are running with the restructured dat

meet

the

OS/390

 

release

requirements.

If

your

database is

not res

you must restructure it and perform appropriate testing of any

installation-supplied code that uses ICHEINTY or RACROUTE

 

 

REQUEST=EXTRACT,TYPE=EXTRACT or TYPE=REPLACE before installing

 

 

 

OS/390

Release

2

Security Server

(RACF). In

addition

to

this

book, y

read:

 

 

 

 

 

 

 

 

 

 

 

 

 

OS/390

Security

Server

(RACF)

Planning:

Installation

and forMigration

 

 

OS/390

Release 2 (GC28-1920-01) and Release 3 (GC28-1920-02)

 

OS/390

Security

Server

(RACF)

Planning:

Installation

and forMigration

 

 

OS/390

Release

1

(GC28-1920-00)

 

 

 

 

 

 

 

 

RACF Migration and Planning for RACF 2.1(GT00-9241-00)

RACF Migration and Planning for RACF 1.9.2(GC23-3045)

From RACF releases prior to 1.9

If you are on a RACF release prior to 1.9, you need to buy a service. These are available from IBM and possibly from other vend

addition

to this

book,

you should read:

 

OS/390

Security

Server

(RACF)

Planning:

Installation

and forMigration

 

OS/390

Release

2 (GC28-1920-01) and Release 3 (GC28-1920-02)

OS/390

Security

Server

(RACF)

Planning:

Installation

and forMigration

 

OS/390

Release

1 (GC28-1910-00)

 

 

RACF Planning: Installation and Migrationfor RACF 2.1 (GT00-9241-00)

RACF Migration and Planning for RACF 1.9.2 (GC23-3054)

RACF Migration and Planning for RACF 1.9 (GT00-5380-00)

Hardware Requirements

OS/390 Release 4 Security Server (RACF) does not

require

any

specific

support. It runs on all hardware supported by

OS/390 Release

4.

Howev

sharing mode in the Parallel Sysplex requires a

coupling

facility

config

RACF's use.

 

 

 

 

22 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Compatibility

This section describes considerations for compatibility between OS/390 Security Server (RACF) and OS/390 Release 3 Security Server (RACF).

OpenEdition MVS

If you

are

an OpenEdition MVS user, be sure to review carefully t

information

on

possible changes.

For Auditability

of

Superusers

 

 

 

 

If

you

are

not

already

auditing

the PROCESS class, you need to dec

you want to receive the audit records. If you do decide you w

OpenEdition

spawn

service,

issue

SETROPTS

LOGOPTIONS(xxxx(PROCESS)) to

obtain the SMF TYPE80 record

ck_priv

in

order to audit superuser use.

auditing the

PROCESS class,

you

do

not

need to issue that command.

You

need

to

change any programs reporting from the unloaded data i

spawn

audit

information.

 

 

 

 

For

Default

USER/GROUP OpenEdition

Segment

 

The existing type 317 relocate section appears on

any SMF TYPE80 reco

written by the RACF callable services for users running with any def

OpenEdition

information.

 

 

You

need

to change any

programs reporting from the

unloaded data i

support.

 

 

 

Program Control by System

ID

 

 

 

 

 

 

If users

are

already

allowed

access

through

the standard access

removed

from these

lists

so the conditional access list entry is use

program

profiles

must

be

refreshed with SETROPTS

WHEN(PROGRAM)

REFRESH

to

activate the updated

PROGRAM

profiles.

RELEASE=2.4 Keyword on

Macros

 

 

 

 

 

 

 

 

 

 

You

should only

specify

RELEASE=2.4

and

reassemble

if you

intend

to u

new

keywords.

If

you

use

the new keywords,

you

need

to run

the

OS/390 Release

4

system

to

get

the

expected

results.

 

 

Chapter 4. Planning Considerations23

24 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 5. Installation Considerations

This chapter

describes

the following changes of interest to the sys

installing

OS/390

Release

4 Security Server (RACF):

Ÿ

Virtual

storage considerations

Ÿ

Templates

 

 

RACF Storage Considerations

This section discusses storage considerations for RACF.

Using

the RACF DB2

external security

module

increases the

number

of

the

RACF database.

Therefore, if you

plan

to use the RACF

DB2

ext

module, recalculate the amount of storage that is needed. If ther storage, you should increase the size of the RACF database.

Virtual Storage

Figure 11 estimates RACF virtual storage usage for planning purposes.

Figure

11 (Page

1

of

3).

RACF Estimated Storage Usage

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Storage

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Subpool

 

Usage

 

 

 

 

 

 

 

 

 

 

 

How

to

Estimate

Size

 

 

 

 

 

 

 

 

 

 

 

FLPA

 

RACF

service

routines,

if

IMS

or 47CICS000

 

 

 

 

 

is using RACF for authorization

 

 

 

 

 

 

 

 

checking

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACROUTE

REQUEST=FASTAUTH

 

 

 

 

 

Measure

using

AMBLIST

 

 

and

ICHRTX00

exits

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

PLPA

 

RACF

installation

exits

that

 

are

 

Measure

using

AMBLIST

 

 

AMODE(24)

or

AMODE(ANY)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACF

RMODE(24)

code

 

 

 

 

 

 

750

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACF

service

routines,

if

IMS

or 47CICS000

 

 

 

 

 

is not using RACF for authorization

 

 

 

 

 

 

checking,

unless

explicitly

removed

 

 

 

 

 

 

from

SYS1.LPALIB

and

placed

 

 

 

 

 

 

 

 

 

 

elsewhere for use in FLPA

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACROUTE

REQUEST=FASTAUTH

 

 

 

 

 

Measure

using

AMBLIST

 

 

and

ICHRTX00

exits

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACF

range

table

 

 

 

 

 

 

4 + (number_of_ranges× 45)

 

 

 

 

 

 

 

 

 

 

 

EPLPA

 

RACF

installation

exits

that

 

are

Measure

using

AMBLIST

 

 

AMODE(31)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACF

resident

modules

above

16MB

875

000

 

 

 

 

 

 

 

 

 

 

 

 

 

SQA

 

RACF

communications vector

table

and2800

 

 

 

 

 

 

extension

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Class

descriptor

table

(CNST)

and

7500

+

58 × number_of_customer_defined_classes

 

 

RACF

router

table

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright IBM Corp. 1994, 1997

25

Figure

11 (Page

2

of

3).

RACF Estimated Storage Usage

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Storage

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Subpool

 

Usage

 

 

 

 

 

 

 

 

 

 

 

How

to

Estimate

Size

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ESQA

 

RACF

data

sharing

control

area

 

300 (when enabled for sysplex communication)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Class

descriptor

table

(CNSX)

 

(number_of_IBM-defined_classes× 28) +

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(number_of_IBM-defined_entries_in_router× 30)_table+

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(number_of_customer_defined_classes× 58) + 26

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For Security Server (RACF), there are 145 IBM-defined

 

 

 

 

 

 

 

 

 

 

 

 

 

 

classes and 167 IBM-defined

entries in

the

router

table, s

 

 

 

 

 

 

 

 

 

 

 

 

 

 

the size of the CNSX is 9096 +

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(number_of_customer_defined_classes× 58).

If

you

install a

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

PTF that adds entries, you will need

to

recalculate

this

 

 

 

 

 

 

 

 

 

 

 

 

 

 

number.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

LSQA

 

ACEE and

related

storage

 

 

 

400 + installation_data_length +

 

 

 

 

 

 

 

 

 

 

Notes:

 

 

 

 

 

 

 

 

 

 

 

terminal_installation_data_length

+

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

application_installation_data +

(52

for

every

78

temporary

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1. Applications

can

place

this

 

stor

ge

 

 

 

up

to

the

next

multiple

of

52)

 

 

 

in

a

different

subpool.

 

datasets, rounded

 

 

 

 

If

the

address space

has

been

dubbed

an

OpenEdition

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2. Applications

can

create

multipleprocess,

then add:

52

+

 

 

 

 

 

 

 

 

 

 

 

 

ACEEs

in

this

and

 

other

storage

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

subpools.

 

 

 

 

 

 

 

 

(number_of_connected_groups_with× GIDs4)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Add 112 bytes if the user

has

CLAUTH

for

a

class with

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

POSIT

value

over

127.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ELSQA

 

Connect

group

table

 

 

 

 

 

64 + (48× number_of_groups_connected)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In-storage

generic

profiles

160 + number_of_generic_profiles× (14 +

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

average_profile_size + average_profile_name_length)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACF

storage

tracking

table

 

 

3500

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACROUTE

REQUEST=LIST

profiles

2108 + (number_of_profiles_×in_16)class+

 

 

 

 

 

 

 

 

 

Note:

Applications

can

place

 

 

(number_of_unique_generic_profile_prefix× 24)lengths+

 

 

 

 

these

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

profiles

in

a

 

 

 

 

 

(number_of_generic_profiles× 4) +

 

 

 

 

 

 

 

 

 

 

 

 

 

different storage

 

 

 

 

 

 

+

average_profile_size

+

 

 

 

subpool.

 

 

 

 

 

 

 

 

(number_of_resident_profiles× (10

 

 

 

 

 

 

 

 

 

 

 

(1.×5 class_max_profile_name_size))) for each class if

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

GLOBAL=YES

is

not

specified

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

CSA

 

RACF

global

access

tables

 

 

3040 + (number_of_user_classes× 24) +× (182 +

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

number_of_entries×

(6

+ ×(1max.5_profile_name_size)))

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACF

database

control

structures

4600

+

(number_of_BAM_blocks× 6)

+

(364

x

 

 

 

 

 

 

 

(DCB, DEB,

templates)

 

 

 

 

number_of_RACF_primary_data_sets)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACF

subsystem

 

control

blocks

3500

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

26 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

 

Figure

11 (Page

3

of

3). RACF Estimated Storage Usage

 

 

 

 

 

 

 

 

Storage

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Subpool

 

Usage

 

 

 

 

How

to

Estimate

Size

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ECSA

 

RACF

data

set descriptor

table 168and +

(896× number_of_RACF_primary_data_sets)

 

 

 

 

 

extension

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACF

ICB

(non-shared

DB)

4096

per

RACF

database

if

the

database

is

not shared a

 

 

 

 

 

 

 

 

not

on

a

device

marked

as

shared, 0 otherwise

|

 

 

 

 

 

 

 

 

 

 

 

 

 

RACF

program

control

table

28

+ (number_of_program_profiles×

 

 

 

|

 

 

 

 

 

 

 

average_program_profile_size) +

 

 

 

|

 

 

 

 

 

 

 

(number_of_controlled_libraries× 50)

 

 

 

 

|

 

 

 

 

 

 

 

To find the average_program_profile_size, use the followi

|

 

 

 

 

 

 

 

formula:

 

 

 

 

 

 

 

 

 

|

 

 

 

 

 

 

 

54 + (average_number_of_access× 9)entries+

 

 

|

 

 

 

 

 

 

 

(average_number_of _conditional_access× _17)entries+

 

 

|

 

 

 

 

 

 

 

(average_number_of_libraries× 52)

 

 

 

 

 

 

 

RACF

resident

data

blocks

For

each primary RACF database: 3248× + (4136

 

 

 

 

 

 

 

 

number_of_database_buffers) If using sysplex

 

 

 

 

 

 

 

 

communication,

for

each

backup

database

add:

3248 + (4

×number_of_database_buffers× 2)

 

 

Dynamic

parse

tables

30

000

 

 

 

SETROPTS

GENLIST

profiles

52

+ (number_of_profiles_×in_16)class+

 

 

 

 

 

(number_of_resident_profiles× (10 + average_profile_size +

 

 

 

 

 

(1.×5 class_max_profile_name_size)))

 

 

 

 

 

 

User

private

RACF transient

storage

16 000 (minimum) while a RACF service is executing

Below

16MB

 

 

 

 

 

 

Templates for RACF on

OS/390 Release

4

 

 

 

 

 

 

 

 

 

 

 

 

 

The

RACF

database

must

have

templates

at

the

Security Server

(RACF)

R

level

in

order

for

RACF

to

function properly.

 

If

a

Security

Server

 

system

is

sharing

the

database

with

a

lower-level

system

(RACF

1.9,

 

RACF

1.10,

RACF 2.1, RACF 2.2, Security Server

(RACF)

Release

1,

Secur

Server (RACF) Release 2, or Security Server

(RACF)

Release

3),

the

lo

system

is

able

to

use

the

database

with

the Security Server (RACF)

templates.

Use the IRRMIN00 utility to install

the

 

templates.

 

 

 

For

more

information, OS/390see Security

Server

(RACF)

System

Programmer's

 

 

Guide and

the

program directory

shipped

with

OS/390.

 

 

 

 

Chapter 5. Installation Considerations27

28 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 6. Customization Considerations

This chapter identifies customization considerations for OS/390 Release Server (RACF).

For additional information,OS/390seeSecurity Server (RACF) System

Programmer's Guide.

Customer Additions to the Router Table and the CDT

Installations must verify that classes they have added to the rout descriptor table (CDT) do not conflict with new classes shipped with duplicate table entries are detected, the following error messages time:

ŸFor a duplicate router table entry, RACF issues this message and processing:ICH527I RACF DETECTED AN ERROR IN THE INSTALLATION ROUTER

TABLE, ENTRY class_name, ERROR CODE 1.

Ÿ For a duplicate CDT entry, RACF issues this message and enters fa

ICH564A RACF DETECTED AN ERROR IN THE INSTALLATION CLASS DESCRIPTOR TABLE, ENTRY class_name, ERROR CODE 7.

If a conflict in class names occurs, you must delete the profiles

installation-defined class with the conflicting name,

delete the

CDT

ent

class, add a CDT entry with a

different

name,

and redefine

the

pr

Do not assemble the user-defined CDT (ICHRRCDE)

on

OS/390

Release

4

attempt to use it on a system

running RACF

at a

 

lower

level than

RACF

Release 2.

 

 

 

 

 

 

 

RACF/DB2 External Security

Module

Customization

 

 

 

 

 

 

 

 

 

If you have both this release of RACF

and

Version

5

of DB2,

you

protect DB2 objects. Migrating to this

can be done one object at

example,

all

DB2 tables

can

be

protected by

RACF

while

other

DB2 o

RACF-protected. If an object is not protected by RACF, the RACF/DB2

security

module

defers

to

DB2

for

authority

checking.

 

 

The following is an overview of

the steps involved in customizing RACF/D

external security module. For OS/390details,Securitysee Server (RACF) System

 

Programmer's Guide andOS/390 Security

Server

(RACF)

Security

Administrator's

Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

Ÿ Concerned

staff members,

such

as

the

security

administrator,

syste

programmer, DB2 system programmer, and database administrator, need

decide

whether to

use

the

RACF/DB2

external

security

module.

 

Ÿ Staff members

need

to

decide which

of the options (such as cla

name options) offered by the RACF/DB2

external

security

module

the

use. This can be as simple as using

the defaults, which is rec

defaults

are

used,

no

new

classes are needed.

 

 

Copyright IBM Corp. 1994, 1997

29

Ÿ Set the options in the RACF/DB2 external security module. To do this

OS/390 Security Server (RACF) System Programmer's. Guide

ŸDecide which DB2 objects are to be protected using RACF. Define appropriate profiles. To doOS/390this,Securitysee Server (RACF) Security

Administrator's Guide.

Ÿ Activate the RACF/DB2 external security module. This includes assembli linkediting the RACF/DB2 external security module. In addition confirm in the appropriate library. ToDB2doforthis,OS/390seeVersion 5

Administration Guide Volume, SC26-8957, and DB2 for OS/390 Version 5 Installation Guide, GC26-8970.

Ÿ Restart the DB2 subsystem.

Exit Processing

The

following changes affect FASTAUTH exits.

Four fields have been add

RFXP

data area and four to the FAST data

area.

 

 

 

 

 

Four

fields are added to the RFXP data

area. These are two 1-byt

RFXPLEN and RFXPVERS. RFXPLEN contains the parameter list

length,

and

 

RFXPVERS contains the parameter list version.

There

are also

two new 4-b

fields, RFXALET and RFXLOGS, which

exist only

when

RFXPVERS

contains

a

value of 1 or higher.

 

 

 

 

 

 

 

 

 

Four

fields

are

also added to

the

FAST data

area.

These

are

two 1-

FASTPLEN

and FASTPVER. FASTPLEN contains the parameter list

length,

and

 

FASTPVER contains the parameter list version.

There

are

also

two new 4-b

fields, FASTALET and FASTLOGS, which

exist

only

when

FASTPVER

contains a

 

value

of 1

or

higher.

 

 

 

 

 

 

 

 

 

30 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 7.

Administration Considerations

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This chapter summarizes the changes to administration procedures that

 

administrator

should

be

aware

of.

For more OS/390information,Securitysee

 

 

 

Server

(RACF)

Security

Administrator's.

Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The TMEADMIN

Class

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The

 

new TMEADMIN class is used

to

associate a TME administrator with

a

 

MVS

identity

on

any

MVS system

that is part of a Tivoli management re

 

The

 

TMEADMIN

class

contains

a

profile

for each TME administrator who is

 

perform RACF user management tasks. The name of this profile is the T

 

administrator

string

name.

For

example:

 

 

 

 

 

 

 

 

 

 

 

admin-login-name@TME-region-name

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The

 

hex code for @ is x'7C'. You

need to use the key on your ke

 

provides that hex value. Sharing of a single RACF user ID by multipl

 

administrators

is

not

 

recommended.

It

is

preferable

that

each

TME

a

 

map

 

to

a

unique

RACF

user

ID.

 

 

 

 

 

 

 

 

 

 

 

 

 

In

the

following

example, the

TME

administrator

root

in

the

Tivoli

TMR

r

 

pok01

would

have

a

RACF

user

ID

of

CSMITH.

The APPLDATA

field of

this

 

contains

the

RACF

MVS

 

userid.

Only

a

 

RACF

administrator

with

SPECIAL

autho

 

can

 

issue

this

command:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RDEFINE

TMEADMIN root@pokð1 APPLDATA('CSMITH')

 

 

 

 

 

 

 

 

 

 

For

 

more information on the TMEADMIN class, see “Tivoli Management

 

 

 

Environment (TME)

10

Global

Enterprise

Management

User

Administration Service

 

on

page 8.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Password History Changes

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

When

an

administrator

resets

a password for a user, the old passwo

 

the

 

password

history

list.

This

is

done

with

the

use of

 

one

of

th

commands:

 

ALTUSER

(userid ...)

PASSWORD

ALTUSER

(userid ...)

PASSWORD(password)

PASSWORD USER(userid

...)

For more information, see “Password History Enhancements” on page 7.

Program Control by System ID

Program control by system ID limits a user's access to a particular

specified system. It improves system management and

usability

of

pro

products in the sysplex environment. In addition, it

eliminates

error-p

procedures, eliminates the

need to keep DASD that

is not shared,

an

the possibility of license

exposures.

 

 

 

Copyright IBM Corp. 1994, 1997

31

Enhancements of Global

Access Checking

 

 

 

When

you

use RACROUTE REQUEST=AUTH processing

(which

utilizes

global

access checking) for general resource classes, these classes

can be

whether

or not the class is RACLISTed using

SETROPTS

RACLIST or

 

RACROUTE

REQUEST=LIST.

 

 

 

32 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 8. Auditing Considerations

This section summarizes the changes to auditing procedures for SMF re

SMF Records

Figure 12 summarizes changes to SMF

records created by RACF for OS/39

Release 4. These changes are general-use programming interfaces

(GUP

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 12.

Changes to SMF Records

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Record

 

Record

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Type

 

Field

 

Description

of

Change

 

 

 

 

 

Support

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

80

 

SMF80DTA

When

program

control

through

 

systemProgram

control

 

 

 

 

 

 

ID

is

operating,

a

new

bit

isthroughdefinedsystemin

 

 

 

 

 

 

an

existing

relocate

section

 

forID SMF

 

 

 

 

 

 

 

 

TYPE80 records written by the

 

 

 

 

 

 

 

 

 

 

PERMIT

command. The

relocate

 

 

 

 

 

 

 

 

 

 

 

section

is

data

type 39

(X'27'),

and

the

 

 

 

 

 

 

new bit indicates that the conditional

 

 

 

 

 

 

 

entity

type

is

SYSID.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

80

 

SMF80DA2

This

 

record

with

 

a

ck_priv

eventOpenEditioncode

 

 

 

 

 

 

is

written

when

an

authorizationauditingcheck

 

of

 

 

 

 

 

 

is

done

for

a

superuser.

The superuserrecord

use

 

 

 

 

 

 

contains the audit function code to

 

 

 

 

 

 

 

 

indicate that the ck_priv callable

 

 

 

 

 

 

 

 

 

service was called from spawn

 

 

 

 

 

 

 

 

 

 

(IRRSPK00).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For

more information on SMF records,OS/390seeS curity Server (RACF) Macros

 

and

Interfaces.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The

RACF/DB2 external security module can be used to protect DB2 o

RACF

profiles.

If

your

 

installation

chooses

to

use

this

function,

RACF

records can be used to audit access attempts to DB2 data and r

information

on auditing

for the RACF/DB2 external securityOS/390 module, see

Security

Server (RACF)

Auditor's. Guide

Copyright IBM Corp. 1994, 1997

33

34 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 9. Application

 

Development

Considerations

 

 

 

 

Application development is the process of planning, designing, and coding

application

programs

that

invoke

RACF

functions. This section highlights n

support

that

might affect application development procedures:

Ÿ

Programming interfaces

 

 

 

 

 

 

 

Ÿ

RELEASE=2.4

keyword on macros

 

 

 

 

 

Ÿ Changes to RACROUTE REQUEST=FASTAUTH

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Programming Interfaces

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For

a

summary

of

changes

to the

programming interfaces

for RACF for

Release

4,

see:

 

 

 

 

 

 

 

 

Ÿ

“Class Descriptor Table (CDT)” on page 12

 

 

Ÿ

“Data

Areas”

on

page 15

 

 

 

 

 

Ÿ

Figure 6

on

page 17

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RELEASE=2.4 Keyword

on

Macros

 

 

 

 

 

 

 

 

 

 

The

RACROUTE,

ICHEINTY,

ICHEACTN,

and

ICHETEST

macros support

the

value

2.4

on

the

RELEASE keyword, although they do not support new ke

that would

require

RELEASE=2.4 to be specified. Customers are not re

update existing programs to specify RELEASE=2.4. You should only use

RELEASE=2.4

keyword

if

you

are

using new

keywords.

 

 

FASTAUTH Changes

Changes in this release allow:

Ÿ LOGSTR= parameter to be specified on the RACROUTE REQUEST=FASTAUTH macro

Ÿ Message suppression (MSGSUPP=YES) to be specified on the RACROUTE REQUEST=FASTAUTH macro

Ÿ ACEEALET=alet_addr parameter on RACROUTE REQUEST=FASTAUTH to

specify ALET value of any address space where an ACEE resides

Copyright IBM Corp. 1994, 1997

35

36 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 10. General User Considerations

RACF general users use RACF to:

Ÿ Log on to the system

Ÿ Access resources on the system

ŸProtect their own resources and any group resources to which the administrative authority

For more

information on

the output general users mightOS/390 receive, see

Security

Server (RACF)

General User's.

Guide

Password History Changes

End

users are

no

longer

able

to

keep their favorite password by pr

have

forgotten

it

and

getting

a

security

administrator or help

desk

to a temporary value for them.

RACF saves

the old (favorite)

passwor

history list,

making

it

unusable.

 

 

 

Copyright IBM Corp. 1994, 1997

37

38 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Glossary

A

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

automatic direction of application, andupdates

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

command

 

direction.

 

 

 

 

 

 

 

 

 

 

 

 

 

access .

 

The

ability

to

 

obtain

the

use

of

 

a

protected

.

An

RRSF

function

that

 

 

 

 

resource.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

automatic

 

direction

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

automatically directs commands, ICHEINTY and

 

 

access

authority .

An

authority

 

 

related

to

a

 

 

RACROUTE macros, and password-related updates to

 

 

 

 

request

for

remote

systems. Seeautomaticlso

 

 

 

 

a

type

of

access

 

to

protected

resources.

one

 

or

 

more

 

 

 

 

 

 

In

 

RACF,

the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

access

 

authorities

 

are

NONE,

 

 

EXECUTE,

READ,

 

 

 

command direction, automatic password direction, and

 

 

 

 

 

 

 

 

automatic

direction

of

application.

updates

 

 

UPDATE,

CONTROL,

 

and ALTER.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

accessor

environment

element

(ACEE)

 

 

 

 

.

A

 

 

 

 

 

 

 

automatic

 

direction

of

application

updates

 

.

 

An

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RRSF function that automatically directs ICHEINTY and

description

of

the

 

current

user,

including

 

 

 

 

user

 

ID,

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

current

 

connect

group,

user

attributes,

and

 

RACROUTE macros that update the RACF database to

 

 

group

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

authorities.

An

ACEE

 

is

constructed

during

 

 

 

one

 

or more remote systems. Profiles in the

 

 

 

user

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

identification

 

and

verification.

 

 

 

 

 

 

 

 

RRSFDATA class control which macros are

 

 

 

 

 

 

 

 

 

 

 

 

 

automatically directed, and to which nodes. See a

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ACEE .

 

Seeaccessor

 

environment

 

 

element.

 

 

 

 

 

 

automatic direction, automatic command direction, and

 

 

 

 

 

 

 

 

 

 

 

 

 

automatic

password

direction.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

appropriate

privileges

 

 

.

 

In

the

 

OpenEdition

 

MVS

 

 

automatic

 

password

direction

 

 

.

An

extension

of

 

 

 

implementation,

superuser

authority.

A

trusted

 

 

 

 

 

 

 

or

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

privileged

attribute

is

an

attribute

 

 

 

 

 

password synchronization and automatic command

 

 

associated

 

with

a

 

 

 

 

 

 

 

 

 

 

 

 

 

 

started

procedure

 

address

space

and

with

 

direction that causes RACF to automatically change

 

 

any

 

 

process

 

 

 

 

 

 

 

 

 

 

 

 

 

 

associated

with

the

address

space.

 

 

 

 

 

password for a user ID on one or more remote no

 

 

 

 

 

after

 

the

password for that user ID is changed

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

AUDIT

request

.

 

The

issuing

of

 

the

RACROUTE

 

 

local

 

node.

Profiles

in

the

RRSFDATA

class

control

fo

 

 

macro

 

 

 

users

and

nodes

passwords

are

automatically

with

REQUEST=AUDIT

specified.

An

AUDIT

 

 

 

 

which

 

request

 

is

 

 

 

Seepasswalsord

 

synchronization,

automatic

 

a

general-purpose

security-audit

request

 

 

 

directed.

 

 

that

can be

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

used

to

audit

a

specified

resource

 

name

 

 

command direction, automatic direction of application

 

 

and

 

action.

 

automatic

direction.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

updates,

and

 

 

 

 

 

 

AUTH

request

 

.

 

The

issuing

of

 

the

RACROUTE

macro

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

with

REQUEST=AUTH

specified.

 

The

primary

function

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

of

an

AUTH

request

is

to

check

a

user's

 

 

C

 

 

 

 

 

 

 

to

 

 

 

 

 

 

 

 

 

 

 

 

 

 

authorization

 

 

 

 

 

 

 

 

 

 

 

 

 

a

RACF-protected

resource

or

 

function.

 

The

 

AUTH

structure

 

.

A

coupling

facility

structure

that

request

replaces

the

RACHECK

function.

See

 

 

 

cache

 

 

also

 

 

 

 

data

accessed

by

systems

in

a

sysplex.

authorization

checking.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

contains

 

 

 

 

 

 

 

 

 

 

 

 

 

 

provides a way for multiple systems to determine

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

authority

 

.

The

 

right

to

access

objects,

 

 

 

validity of copies of the cache structure data

 

 

resources,

or

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

local

 

storage.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

functions. Seeaccess authority, class authority,nd

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

group

authority.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

callable

 

service

 

.

In

OpenEdition

 

MVS,

a

request

by

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

authorization

checking

 

 

.

 

The

 

action

of

 

 

 

 

 

 

an active process for a service. Synonymous with

 

 

 

 

 

determining

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

syscall, system call.

 

 

 

 

 

 

 

 

 

 

 

 

 

whether a user is permitted access to a protected

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

resource.

RACF

performs

authorization

checking CDTas. a Seeclass

descriptor. table

 

 

 

 

 

 

result of a RACROUTE REQUEST=AUTH or

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RACROUTE

 

REQUEST=FASTAUTH.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

class .

 

A

collection

of

RACF-defined entities (users

automatic

command

direction

 

 

 

.

An

 

 

extension

of

 

 

 

groups, and resources) with similar characteristics.

that

 

 

 

 

 

class

 

names

are

USER,

 

GROUP,

DATASET,

and the

 

 

command

direction

causes

RACF

to

automatically

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

direct certain commands to one or

more

 

 

 

 

classes that are defined in the class descriptor

remote

nodes

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

after

running

the

commands

on

 

 

the

issuing

node.

 

 

authority

(CLAUTH) .

 

An

authority

enabling

a

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

class

 

 

 

 

Commands

can

be

automatically

 

directed

 

based

 

on

 

who

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

user

 

to define RACF profiles in a class defined

issued

the

command,

 

the

 

command

name,

or

the

 

profile

 

 

 

table.

A user can

have

class

aut

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

class

 

descriptor

class

related

 

to

the

command. Profiles

 

in

the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RRSFDATA

class

control

 

to

which

 

nodes

commands

 

to one or more classes.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

are automatically directedautomatic. See also

 

 

 

 

 

class

 

 

descriptor

table (CDT) .

 

A table consisting of an

password

direction, automatic

 

command

direction,

 

 

 

entry

 

for

each

class

except

the

USER,

GROUP,

an

 

Copyright

IBM

Corp.

1994,

1997

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

39

 

 

 

DATASET

classes. The table is generated

by

 

execresoutingrce

serialization

protocol

that

allows

concurrent

 

the ICHERCDE macro once for each

 

class.

The RACFclassinstances

 

 

to

 

directly

access

and

change

 

the

 

descriptor

table

contains

both

the

IBM

providedsame

 

databaseclasses

while

maintaining

data

integrity

as

 

and

also

the

installation

defined

classes.

 

always.

Data

 

sharing

mode

 

requires

 

installation

of

 

CLAUTH

 

.

Seeclass

authority.

 

 

 

 

 

 

 

 

 

coupling

facility

 

hardware.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

command

direction

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

default

group

 

.

 

 

In

RACF,

the

group

specified

 

in

a

use

 

 

.

A

RRSF

function

that

allows

a

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

connect

 

group.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

profile that is the default current

 

 

user to issue a command

from

 

one

 

user

ID

and

 

direct

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

that

command

 

to

run

under

the

authority

of

DEFINEa differentrequest

.

 

The

issuing

of

the

RACROUTE

 

 

 

 

 

user ID

on

 

the

same

or

a

different

RRSF

nodemacro.

withBeforeREQUEST=DEFINE

specified.

Also,

using

a

 

 

a command can be directed from

one

user

IDRACF tocommand

to

add

or delete a resource profile

 

another,

a

user

ID

association must

be

definedcausesbetweenaDEFINE

request.

The

DEFINE

 

request

 

 

 

 

 

them

via

the

RACLINK

command.

 

 

 

 

 

 

 

 

replaces

the

RACDEF function.

 

 

 

 

 

 

 

 

 

 

 

 

command

interpreter

 

 

.

A

program

that

 

reads

theDFP .

 

See

Data

Facility

Product.

 

 

 

 

 

 

 

 

 

 

commands

that

you

type

in

and

then

executes

them.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

When

you

are

typing

commands

into

the

 

 

 

DFP

 

segment

 

.

 

 

The

portion

of

a

RACF

 

profile

 

 

 

 

 

computer,

 

you

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

are

actually

typing

input

to

the

command

 

 

containing

information

relating

to

the

users

and

 

 

 

interpreter.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The

interpreter

then

decides

how

 

to

 

 

 

resources

that

are

managed

by the

data

facility

 

 

perform

the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(DFP).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

commands that you have typed. The shell is an

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

example of a command interpreter. Synonymous with

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

command

language

interpreter. See

alsohell.

 

 

 

 

DIRAUTH

 

request

 

 

 

 

.

 

The

issuing

of

the

RACROUTE

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

macro with REQUEST=DIRAUTH specified. A

 

 

 

 

 

 

command

language

interpreter

 

 

 

.

 

Synonym

for

 

 

 

DIRAUTH

request

 

works

on

behalf

of

the

 

 

 

 

 

command

interpreter.

 

 

 

 

 

 

 

 

 

 

 

 

 

message-transmission

managers

 

to

ensure

that

the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

receiver

of a message meets security-label

 

 

 

 

coupling

facility

.

The

hardware

element

that

providesauthorization

 

 

requirements.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

high-speed caching, list processing, and locking

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

functions

in

a

sysplex.

 

 

 

 

 

 

 

 

 

 

 

directed

 

command

 

 

 

 

.

 

A

RACF

command

that

is

issued

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

from a user ID on

an RRSF node. It runs in the RA

D

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

subsystem

address space on the same or a

differe

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

RRSF

 

node

under

the

authority

of

 

the

same

or a

 

Data

Facility

Product

(DFP)

 

 

 

 

 

 

 

 

 

 

 

 

 

different

 

user

ID.

A

directed

command

is

 

one

that

.

A

 

program

that

isolates

 

 

 

 

 

AT or ONLYAT. Seecommandlso direction

 

 

 

 

 

applications

from

storage

devices,

 

storage

 

specifies

 

 

 

 

 

 

 

 

and

 

automatic

command

direction.

 

 

 

 

 

 

 

 

 

 

 

management, and storage device hierarchy

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

management.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

directory .

(1) A type of file containing the names an

data

security .

 

The protection of data from

 

controlling

information

for other files or other direc

 

 

(2) A

 

construct

for

organizing

computer

files.

As

file

unauthorized

 

disclosure,

modification,

or

destruction,

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

whether

accidental

or

 

intentional.

 

 

 

 

 

 

are analogous to folders that hold information, a

 

 

 

 

 

 

 

 

 

directory

 

is analogous to a drawer that can hold a

data

security

monitor

(DSMON)

 

 

.

 

A

RACF

auditing

 

number

of

folders.

Directories

can

 

also

contain

 

 

 

 

 

 

subdirectories, which can contain subdirectories

of

 

tool

that

produces

reports

enabling

an

 

 

 

 

installation

 

to

file

that

contains

directory

entries.

No

t

verify

its

basic

system

integrity

and

 

 

 

own.

(3) A

 

data-security

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

controls.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

directory entries in the same directory can have t

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

same name. (4) A file that points to files and to ot

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

data

set

profile

.

 

A

profile

that

 

provides

RACF

 

directories.

 

(5) An

index used

by

 

a

control

program

t

 

 

 

locate

blocks of data that are stored in separate

protection for

one

or

 

more

data

sets.

The

 

information

 

in

set in

direct

access

storage.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

of

 

a

data

 

 

 

 

 

 

the profile can include the data-set profile

name,

profile

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

owner,

universal

access

authority,

 

access

list,

 

and

other

A

 

resource

 

profile

 

that

can

 

provide

 

data.

Seediscrete

profileandgeneric

profile.

 

 

 

 

discrete

profile

 

.

 

 

 

 

 

 

 

 

 

RACF protection for only a single resource. For

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

data

sharing

mode

 

.

An

operational

RACF

mode

 

 

example,

a

discrete

profile

can

protect only

a

singl

 

that

 

 

 

set

or

 

minidisk.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

data

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

is available when RACF is enabled for sysplex

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

communication.

 

Data

sharing

mode

uses

global

 

DSMON

 

 

.

 

Seedata

security

.monitor

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

40 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

E

 

 

 

 

 

 

 

 

 

 

 

 

 

 

group

authority .

An

authority

specifying

which

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

functions a user can perform in a group. The grou

entity .

 

A

user,

group,

 

 

 

 

 

 

 

authorities

are

USE, CREATE,

 

CONNECT, and

JOIN.

 

 

 

or resource (for example, a

 

 

 

 

 

 

 

 

 

 

 

 

 

DASD data

set)

that

is

 

defined

to

RACF.

 

group

identifier

(GID) .

(1) In

OpenEdition

MVS,

a

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

EXTRACT

request

 

 

 

 

 

 

 

 

 

 

 

 

unique

number

assigned to a group of

related

use

 

.

 

The

issuing

of

the

RACROUTE The

GID

can

often

be

substituted

in

commands

that

macro

with

REQUEST=EXTRACT

 

specified. An

 

 

take

a

group

name

as

an

argument.

(2) A

 

 

EXTRACT request retrieves or replaces certainnon-negative integer, which can be contained in

an

specified

fields

from

a RACF

profile

or

encodes certain

 

 

 

 

 

 

 

 

 

 

group

clear-text (readable)

data.

The

EXTRACT

 

 

object

of

gidtypet,hat is used to identify a

request

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

replaces

the

RACXTRT

function.

 

 

 

 

 

system users. Each system user is a member of a

 

 

 

 

 

least one group. When the identity of a group is

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

F

 

 

 

 

 

 

 

 

 

 

 

 

 

 

associated

with

a

process,

a

group

ID

value

is

 

 

 

 

 

 

 

 

 

 

 

 

 

 

to as a real group ID, an effective group ID,

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(optional) supplementary group IDs, or

an

(optional)

FASTAUTH

request

 

 

.

The

 

issuing

of

the

 

 

saved set-group-ID.

 

 

 

 

 

 

 

 

 

 

 

 

RACROUTE

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

macro

with

REQUEST=FASTAUTH

specified.

The

 

group

profile

 

.

A profile

that

defines

a

group.

The

primary

function

of

a

FASTAUTH

request

is

to

 

check a

 

in

the

profile

includes

the group name,

user's

authorization

to

 

a RACF-protected

 

information

 

 

resource or

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

profile owner, and users in the group.

 

 

function. A FASTAUTH request uses only in-storage

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

profiles

for

faster

performance.

The

FASTAUTH

request

 

 

 

 

programming

interface.