Instruction/ maintenance manual of the product GC28-1920-01 IBM
Go to page of 110
OS/390 Place graphic in this area. Outline is keyline only. DO NOT PRINT. IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-01.
.
OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-01.
Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page xi. Second Edition, September 1996 This is a major revision of GC28-1920-00.
iii.
iv OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii About This Book ................................... xiii Who Should Use This Book .
Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Publications Library . . . . . . . . . . . . . . . . . . . . . . .
Chapter 9. Operational Considerations . . . . . . . . . . . . . . . . . . . . . 49 Enhancements to the RESTART Command .................... 4 9 Enabling and Disabling RACF ............................ 4 9 Chapter 10. Application Development Considerations .
viii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Figures 1. Function Shipped In OS/390 Release 1 Security Server (RACF) ...... 5 2. Function Introduced After the Availability of OS/390 Release 1 Security Server (RACF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Function Introduced In OS/390 Release 2 Security Server (RACF) .
x OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Notices References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program or service may be used.
Trademarks The following terms are trademarks of the IBM Corporation in the United States or other countries or both: AS/400 BookManager CICS CICS/ESA DB2 DFSMS DFSMS/MVS .
About This Book This book contains information about the Resource Access Control Facility (RACF), which is part of the OS/390 Security Server. The Security Server has two components: RACF OpenEdition DCE Security Server For information about the OpenEdition DCE Security Server, see the publications related to that component.
Chapter 7, “Administration Considerations” on page 37, summarizes changes to administration procedures for the new release of RACF. Chapter 8, “Auditing Considerations” on page 45, summarizes changes to auditing procedures for the new release of RACF.
RACF Courses The following RACF classroom courses are also available: Effective RACF Administration, H3927 MVS/ESA RACF Security Topics, H3918 Implementing RACF Security for CICS/ESA, H3992 IBM provides a variety of educational offerings for RACF.
Other Sources of Information IBM provides customer-accessible discussion areas where RACF may be discussed by customer and IBM participants. Other information is available through the Internet. IBM Discussion Areas Two discussion areas provided by IBM are the MVSRACF discussion and the SECURITY discussion.
You can get sample code, internally-developed tools, and exits to help you use RACF. All this code works 1 , but is not officially supported. Each tool or sample has a README file that describes the tool or sample and any restrictions on its use. The simplest way to reach this code is through the RACF home page.
Elements and Features in OS/390 You can use the following table to see the relationship of a product you are familiar with and how it is referred to in OS/390 Release 2. OS/390 Release 2 is made up of elements and features that contain function at or beyond the release level of the products listed in the following table.
Product Name and Level Name in OS/390 Base or Optional OpenEdition Application Services OpenEdition Application Services base OpenEdition DCE Base Services (OSF DCE level 1.1) OpenEdition DCE Base Services base OpenEdition DCE Distributed File Service (DFS) (OSF DCE level 1.
xx OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Summary of Changes Summary of Changes for GC28-1920-01 OS/390 Release 2 This book contains new information for OS/390 Release 2 Security Server (RACF).
xxii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 1. Planning for Migration This chapter provides information to help you plan your installation's migration to the new release of RACF. Before attempting to migrate, you should define a plan to ensure a smooth and orderly transition. A well thought-out and documented migration plan can help minimize any interruption of service.
Installation Considerations Before installing a new release of RACF, you must determine what updates are needed for IBM-supplied products, system libraries, and non-IBM products. (Procedures for installing RACF are described in the program directory shipped with the product, not in this book.
Auditing Considerations Auditors who are responsible for ensuring proper access control and accountability for their installation are interested in changes to security options, audit records, and report generation utilities. For more information, see Chapter 8, “Auditing Considerations” on page 45.
4 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 2. Release Overview This chapter lists the new and enhanced features of RACF for OS/390 Release 2. It also lists the support that has not been updated in the new release.
Figure 2 on page 6 identifies function introduced after the availability of OS/390 Release 1 Security Server (RACF). Figure 3 identifies function introduced in OS/390 Release 2 Security Server (RACF). Figure 4 identifies function not shipped in OS/390 Release 2 Security Server (RACF), but available via PTF.
OS/390 OpenEdition DCE single signon support uses to sign in an authenticated OS/390 user to DCE. The RACF support for OS/390 OpenEdition DCE includes: The DCE segment, which contains DCE informat.
OS/390 OpenEdition OS/390 Release 2 OpenEdition adds new capabilities for which RACF provides support. Authorizing and Auditing Server Access to the CCS and WLM Services OS/390 Release 2 OpenEdition adds the capability to check whether servers are authorized to use the console communications service (CCS) and the workload manager (WLM) service.
so that the user's information can be customized independently of the user's workstation type. The SystemView Launch window lets users log on once, authenticating with their RACF password, a.
Output and notifications from commands that were directed via the AT or ONLYAT keywords. These are returned to the system on which the directed command was issued. Notifications from RACLINK commands. These are returned to the system on which the RACLINK command was issued.
the IRRDCR00 module to allow customers to convert a 3-byte packed decimal date to a 4-byte packed decimal date, using RACF's interpretation of the yy value.
The PTF must be applied to all systems in the sysplex in order for these enhancements to take effect. However, systems with and without the PTF applied can coexist in the sysplex, and there is no requirement to IPL all systems in the sysplex when the PTF is applied.
Chapter 3. Summary of Changes to RACF Components for OS/390 Release 2 This chapter summarizes the new and changed components of OS/390 Release 2 Security Server (RACF).
Figure 7 lists classes for which there are changes. Figure 6 (Page 2 of 2). New Classes Class Name Description Support FILE This class controls protection of shared file system (SFS) files on VM. RACF 1.10 for VM KEYSMSTR This class holds a key to encrypt DCE passwords stored in the RACF database.
Figure 8. Changes to RACF Commands Command Description Support all If an attempt is made to invoke a RACF command when RACF is not enabled, RACF issues message IRR418I, and the command is not processed.
Data Areas Figure 9 lists changed general-use programming interface (GUPI) data areas for SAF to support RACF for OS/390 Release 2. Figure 10 lists changed product-sensitive programming interface (PSPI) data areas for for RACF.
Figure 11. Changed Exits for RACF Exit Description Support ICHRCX01 ICHRCX02 For unauthenticated client ACEEs, the RACROUTE REQUEST=AUTH preprocessing and postprocessing exits are invoked for both the client ACEE and the server ACEE.
New Messages The following messages are added: RACF Initialization Messages: ICH562I RACF Processing Messages: IRR418I Dynamic Parse (IRRDPI00 Command) Messages: IRR52152I RACF Database Split/Merge Ut.
Panels Figure 13 lists RACF panels that are changed. Figure 13. Changed Panels for RACF Panel Description Support ICHP41I ICHP42I Existing panels for user administration of the NETVIEW segment have been updated to allow a user to add, change, or delete the NGMFVSPN field.
SYS1.SAMPLIB Figure 16 identifies changes to RACF members of SYS1.SAMPLIB. Figure 16. Changes to SYS1.SAMPLIB Member Description Support IRRADULD This member has been updated with the SMF type 80 record for the new event code 65. OS/390 OpenEdition IRRADULD This member has been updated to support RACF 1.
Figure 17. Changes to Templates Template Description of Change Support General A new SVFMR segment provides the following information: Field Description SCRIPTN Script name PARMN Parameter list name SystemView for MVS Group A new OVM segment provides OpenEdition for VM information associated with a group.
Figure 18. Changes to Utilities Utility Description of Change Support IRRADU00 The SMF data unload utility has been updated to support unloading data from audit records created on a system running RACF 1.10 for VM. This support allows RACF 1.10 for VM audit records to be processed by OS/390 Security Server (RACF).
Chapter 4. Planning Considerations This chapter describes the following high-level planning considerations for customers upgrading to Security Server (RACF) Release 2 from Security Server (RACF) Relea.
RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT or TYPE=REPLACE before installing OS/390 Release 2 Security Server (RACF). In addition to this book you should read: – OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 1, – RACF Planning: Installation and Migration for RACF 2.
Figure 19. Software Requirements for New Function Function Software Requirements OS/390 OpenEdition DCE interoperability support OpenEdition/MVS Release 3 plus APAR OW15865 (PTF UW23684) C Run Time Li.
26 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 5. Installation Considerations This chapter describes changes of interest to the system programmer installing OS/390 Release 2 Security Server (RACF): Enabling RACF Considerations for .
prefix Is a value you specify with the PREFIX keyword on the TARGET command sysname Is the system name. This name must match the value in the CVTSNAME field for the system it identifies. ds_identity Is either INMSG or OUTMSG The naming convention for the workspace data sets for remote connections is now: prefix.
the description of the TARGET command in OS/390 Security Server (RACF) Command Language Reference for details. If any of the INMSG or OUTMSG workspace data sets are not empty, you should rename them to follow the new naming convention. For an example of JCL to perform this task, see Figure 20 on page 30.
//.
//RRSFALTR JOB 'JOB TO RENAME WORKSPACE DATA SETS',MSGLEVEL=1,1 // // USE A JOBCAT OR STEPCAT WHERE NEEDED TO POINT TO THE CATALOG // THAT CONTAINS THE INFORMATION NEEDED FOR YOUR DATA SETS.
RACF Storage Considerations This section discusses storage considerations for RACF. Virtual Storage Figure 21 estimates RACF virtual storage usage, for planning purposes.
Figure 21 (Page 2 of 2). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size ELSQA Connect group table 64 + (48 × number_of_groups_connected) In-storage generic profiles 160 + num.
Templates for RACF on OS/390 Release 2 The RACF database must have templates at the Security Server (RACF) Release 2 level in order for RACF to function properly. If a Security Server (RACF) Release 2 system is sharing the database with a lower-level system (RACF 1.
Chapter 6. Customization Considerations This chapter identifies customization considerations for RACF. For additional information, see OS/390 Security Server (RACF) System Programmer's Guide .
– The first check uses the client ACEE. This is the ACEE that is associated with the current task. If the request is successful, the second check is performed. – The second check uses the ACEE associated with the server. This is the same ACEE that is associated with the address space.
Chapter 7. Administration Considerations This chapter summarizes the changes to administration procedures that the security administrator should be aware of. For more information, see OS/390 Security Server (RACF) Security Administrator's Guide .
database. The mvsexpt utility takes a specified input file or the DCE registry for each principal specified and creates the RACF DCE segment and profiles in the RACF general resource class, DCEUUIDS. For more information on these utilities, see OpenEdition DCE Administration Guide .
The MVS user must have saved the current DCE password in the RACF DCE segment by invoking the DCE storepw command. Note: Users still need to maintain their passwords for RACF and OpenEdition DCE separately, and must use the DCE storepw to keep the DCE password that is stored in RACF current.
OpenEdition Planning , and in OS/390 OpenEdition Programming: Assembler Callable Services Reference . The C language support for the pthread_security_np() function is discussed in OS/390 R2 C/C ++ Run-Time Library Reference . Threads and Security An application that uses the pthread_security_np service can customize the RACF identity of a thread.
Changes to RACF Authorization Processing Extensions have been introduced to RACF's processing of authorization requests in which both the RACF identity of the server and the RACF identity of a client of the server application are used in a resource access decision.
resources. Profiles must reside in storage before RACROUTE REQUEST=FASTAUTH can be used to verify a user's access to a resource. The client/server relationship is not propagated from the application server.
SystemView for MVS Before an installation can use SystemView for MVS, the security administrator must: Create profiles in the SYSMVIEW class for SystemView for MVS applications. The profiles define logon script and parameter information for the applications.
44 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 8. Auditing Considerations This section summarizes the changes to auditing procedures for the RACF: SMF records Report writer utility SMF data unload utility The auditor must decide on appropriate global auditing options for the new classes and on which auditing reports are to be produced.
For more information on SMF records, see OS/390 Security Server (RACF) Macros and Interfaces . Figure 23 (Page 2 of 2). Changes to SMF Records Record Type Record Field Description of Change Support 80.
Auditing OS/390 OpenEdition DCE Support RACF provides one new audit function code (94) to audit OS/390 OpenEdition DCE support. Auditing SystemView for MVS Support Depending on the auditing options se.
48 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 9. Operational Considerations This section summarizes the changes to operating procedures for RACF for OS/390 Release 2. Enhancements to the RESTART Command The RESTART command has been enhanced. The new SYSNAME keyword allows an operator to restart connections to systems on a multisystem node.
50 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 10. Application Development Considerations Application development is the process of planning, designing, and coding application programs that invoke RACF functions.
The security administrator has the option of enforcing the use of both the application server's RACF identity and the RACF identity of the client in resource access control decisions. RACF support for OS/390 OpenEdition DCE introduces new indicators in the ACEE.
For more information on the convert_id_np (BPX1CID) callable service, see OS/390 OpenEdition Programming: Assembler Callable Services Reference . The C language support for the __convert_id_np() is di.
“Macros” on page 17 “Templates” on page 20 “Utilities” on page 21 “Routines” on page 19 54 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 11. General User Considerations RACF general users use RACF to: Log on to the system Access resources on the system Protect their own resources and any group resources to which they have administrative authority This chapter highlights new support that might affect general user procedures.
56 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 12. NJE Considerations Several APARs shipped on OS/390 Release 2 Security Server (RACF) have implications for NJE. APAR OW14451 OS/390 Release 2 Security Server (RACF) includes a PTF that provides functions that change the way inbound NJE jobs and NJE sysout are handled by RACF.
Actions Required With OW08457 and OW14451, group propagation and group translation has been fixed for NODES profiles, both for batch jobs and for SYSOUT. This change can significantly alter the external results of your NJE environment and your installation must decide what changes will best suit your needs.
List all GROUPJ and GROUPS NODES profiles that have a UACC value greater than or equal to READ, recording the profile names and all keywords necessary to add them back later. Then delete them. These profiles were previously irrelevant but now could result in failing jobs or unowned SYSOUT.
60 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 13. Scenarios This chapter contains scenarios that might help you in planning your migration to Security Server (RACF) Release 2. Migrating an Existing RRSF Network to Use Multisystem Nodes If.
2. Issue TARGET DORMANT commands from the operator's console to make all RRSF conversations dormant: prefix TARGET NODE(MIAMI1) DORMANT prefix TARGET NODE(ORLANDO) DORMANT 3. Issue a TARGET command from the operator's console to make MIAMI1 the main system on the new multisystem node MIAMI1.
5. Issue a TARGET command from the operator's console to define system SYSTEM1 as the MAIN system for the multisystem node. (Issuing this command allows you to reconfigure the node to make SYSTEM2 the main system at some future time.) prefix TARGET NODE(MIAMI1) SYSNAME(SYSTEM1) LOCAL MAIN OPERATIVE PREFIX(.
On MIAMI2: 1. Issue a TARGET command from the operator's console to define the connection with ORLANDO. prefix TARGET NODE(ORLANDO) OPERATIVE PREFIX(...) PROTOCOL(...) WORKSPACE(...) Add this command to the RACF parameter library for SYSTEM2. Note: The TARGET commands for SYSTEM1 and SYSTEM2 are now identical.
Glossary A access . The ability to obtain the use of a protected resource. access authority . An authority related to a request for a type of access to protected resources. In RACF, the access authorities are NONE, EXECUTE, READ, UPDATE, CONTROL, and ALTER.
user ID on the same or a different RRSF node. Before a command can be directed from one user ID to another, a user ID association must be defined between them via the RACLINK command. command interpreter . A program that reads the commands that you type in and then executes them.
F FASTAUTH request . The issuing of the RACROUTE macro with REQUEST=FASTAUTH specified. The primary function of a FASTAUTH request is to check a user's authorization to a RACF-protected resource or function. A FASTAUTH request uses only in-storage profiles for faster performance.
is the local LU, and the LU through which communication is received is the partner LU. local node . The RRSF node from whose point of view you are talking. For example, if MVSA and MVSB are two RRSF nodes that are logically connected, from MVSA's point of view MVSA is the local node, and from MVSB's point of view MVSB is the local node.
Daemon processes, which do systemwide functions in user mode, such as printer spooling Kernel processes, which do systemwide functions in kernel mode, such as paging A process can run in an OpenEdition user address space, an OpenEdition forked address space, or an OpenEdition kernel address space.
RRSF nodes that are logically connected, from MVSX's point of view MVSY is a remote node, and from MVSY's point of view MVSX is a remote node.
sysplex communication . An optional RACF function that allows the system to use XCF services and communicate with other systems that are also enabled for sysplex communication. system authorization facility (SAF) . An MVS component that provides a central point of control for security decisions.
OpenEdition MVS, a string that is used to identify a user. user profile . A description of a RACF-defined user that includes the user ID, user name, default group name, password, profile owner, user attributes, and other information. A user profile can include information for subsystems such as TSO and DFP.
Index A ADDUSER command 15 administration classroom courses xv administration considerations migration 2 Airline Control System/MVS, support for 11 ALCS/MVS support ALCSAUTH class 13 ALCS/MVS, support.
DCE support (continued) auditing considerations 47 command changes 15 controlling access to R_dceruid callable service 42 DCEUUIDS class 13 deleting RACF user IDs 42 description 6 effect on exits 35, .
J JCICSJCT class 14, 53 JCL for renaming workspace data sets 30 K KCICSJCT class 14, 53 KEYSMSTR class 14 L library, RACF publications changes to 19 LSQA storage requirement 32 M macros changes to 17 .
PLPA storage requirement 32 programming interfaces changes to CDT 13 data areas 16 new routines 19 templates 21 publications changes to RACF library 19 on CD-ROM xiv softcopy xiv R R_dceruid callable service 42 RACDBULD member of SYS1.SAMPLIB 20 RACDBUTB member of SYS1.
SMF data unload utility auditing considerations 47 changes to 22 SMF records changes to 45 OpenEdition DCE support 46 OpenEdition services 45 SOMDOBJS class 14 SOMobjects for MVS, support for administ.
78 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration.
IBM Let's face it, you have to search through a ton of hardcopy manuals to locate all of the information you need to secure your entire system.
.
.
Communicating Your Comments to IBM OS/390 Security Server (RACF) Planning: Installation and Migration Publication No. GC28-1920-01 If you especially like or dislike anything about this book, please use one of the methods listed below to send your comments to IBM.
Reader's Comments — We'd Like to Hear from You OS/390 Security Server (RACF) Planning: Installation and Migration Publication No. GC28-1920-01 You may use this form to communicate your com.
Cut or Fold Along Line Cut or Fold Along Line Reader's Comments — We'd Like to Hear from You GC28-1920-01 IBM Fold and Tape Please do not staple Fold and Tape NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO.
.
IBM Program Number: 5645-001 Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber. Drop in Back Cover Image Here.
An important point after buying a device IBM GC28-1920-01 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought IBM GC28-1920-01 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data IBM GC28-1920-01 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, IBM GC28-1920-01 you will learn all the available features of the product, as well as information on its operation. The information that you get IBM GC28-1920-01 will certainly help you make a decision on the purchase.
If you already are a holder of IBM GC28-1920-01, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime IBM GC28-1920-01.
However, one of the most important roles played by the user manual is to help in solving problems with IBM GC28-1920-01. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device IBM GC28-1920-01 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center