Instruction/ maintenance manual of the product OS/390 IBM
Go to page of 76
OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-03.
.
OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-03.
Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page vii. Fourth Edition, September 1997 This is a major revision of GC28-1920-02.
Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix About This Book .................................... x i Who Should Use This Book .
SYS1.SAMPLIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Publications Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Chapter 4. Planning Considerations . . . . . . . . . . . . . . . . . .
Figures 1. New Callable Services ............................. 1 1 2. Changed Callable Services ........................... 1 2 3. New Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4. Changes to RACF Commands .......
vi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
Notices References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program, or service may be used.
viii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
Trademarks The following terms are trademarks of the IBM Corporation in the United States or other countries or both: AIX/6000 BookManager CICS CICS/ESA DB2 DFSMS FFST .
x OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
About This Book This book contains information about the Resource Access Control Facility (RACF), which is part of the OS/390 Security Server. The Security Server has two components: RACF OpenEdition DCE Security Server For information about the OpenEdition DCE Security Server, see the publications related to that component.
Chapter 6, “Customization Considerations” on page 29, highlights information about customizing function to take advantage of new support after the new release of RACF is installed. Chapter 7, “Administration Considerations” on page 31, summarizes changes to administration procedures for the new release of RACF.
RACF Courses The following RACF classroom courses are also available: Effective RACF Administration, H3927 MVS/ESA RACF Security Topics, H3918 Implementing RACF Security for CICS/ESA, H3992 IBM provides a variety of educational offerings for RACF.
Other Sources of Information IBM provides customer-accessible discussion areas where RACF may be discussed by customer and IBM participants. Other information is available through the Internet. IBM Discussion Areas Two discussion areas provided by IBM are the MVSRACF discussion and the SECURITY discussion.
You can get sample code, internally-developed tools, and exits to help you use RACF. All this code works in our environment, at the time we make it available, but is not officially supported. Each tool or sample has a README file that describes the tool or sample and any restrictions on its use.
xvi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
Summary of Changes | Summary of Changes | for GC28-1920-03 | OS/390 Version 2 Release 4 | This book contains primarily new information for OS/390 Version 2 Release 4 | Security Server (RACF). When any information appeared in an earlier release, the | information that is new is indicated by a vertical line to the left of the change.
xviii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 1. Planning for Migration This chapter provides information to help you plan your installation's migration to the new release of OS/390 Security Server (RACF). Before attempting to migrate, you should define a plan to ensure a smooth and orderly transition.
Installation Considerations Before installing a new release of RACF, you must determine what updates are needed for IBM-supplied products, system libraries, and non-IBM products. (Procedures for installing RACF are described in the program directory shipped with OS/390, not in this book.
Auditing Considerations Auditors who are responsible for ensuring proper access control and accountability for their installation are interested in changes to security options, audit records, and report generation utilities. For more information, see Chapter 8, “Auditing Considerations” on page 33.
4 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 2. Release Overview This chapter lists the new and enhanced functions of RACF for OS/390 Release 4 and gives a brief overview of each new function or function enhancement.
Enhancements to Support for OpenEdition Services Enhancements to RACF's support for OpenEdition services include: Extended ability to audit the use of superuser status Default USER/GROUP .
The getUMAP and getGMAP services also look for default values. If getUMAP is given a UID as input and the corresponding USER profile has no OMVS segment, the caller of the getUMAP service receives the default. If no default value is found, RACF return code 8, reason code 4 are returned by the getUMAP service.
The ALTUSER command allows an administrator to reset a user's password to a temporary password or a default value. This command is modified to save the old password whenever the password is reset. The PASSWORD USER ( userid ) command provides users and administrators with a password reset function.
system. This support provides a solution to many customers that find themselves in such a situation. The PERMIT command has a new keyword to add users and groups to the conditional access list, WHEN(SYSID(...)). This keyword is allowed only for the PROGRAM class.
Enable/Disable Changes OS/390 Version 2 Release 4 has a new product ID that affects the enable/disable function in all of its elements including the Security Server. The ID() value used in the IFAPRDxx parmlib member needs to be "5647-A01". The remainder of the parameters remain the same.
Chapter 3. Summary of Changes to RACF Components for OS/390 Release 4 This chapter summarizes the new and changed components of OS/390 Release 4 Security Server (RACF).
Figure 2. Changed Callable Services Callable Service Name Description Support initUSP If no OMVS segment is found in the user's profile, the initUSP service checks the BPX.DEFAULT.USER profile in the FACILITY class. This profile may contain a user ID in its application data field that provides a default OMVS segment.
Figure 3. New Classes Name Description Support DSNADM DB2 administrative authority class DB2 GDSNBP Grouping class for buffer pool privileges DB2 GDSNCL Grouping class for collection privileges DB2 GD.
Figure 4 (Page 2 of 3). Changes to RACF Commands Command Description Support ALTUSER This command supports the removal of all of the user's CLAUTH authorities by using NOCLAUTH(*). For more information on the ALTUSER NOCLAUTH keywords, see OS/390 Security Server (RACF) Command Language Reference .
Figure 4 (Page 3 of 3). Changes to RACF Commands Command Description Support TARGET The new keyword WDSQUAL is added to the RACF TARGET command to indicate that the variable that follows will be used .
Figure 5. Changes to PSPI Data Areas Data Area Description Support AFC This data area maps the contents for the Open Edition MVS security audit function codes. An audit function code has been added to audit when ck_priv is called from OpenEdition_spawn (BPX1SPN).
RFXALET and RFXLOGS correspond to new fields in the RACROUTE REQUEST=FASTAUTH parameter list. These fields only exist in parameter lists created with RELEASE=2.4 or higher. Therefore, these fields must only be accessed when the RFXPVERS indicates Release 2.
RALTER Command Messages: ICH11304I SETROPTS Command Messages: ICH14042I RACF Manager Error Messages: ICH51011I RACF Processing Messages: IRR410I RACF Utility Messages: IRR67032I, IRR67034I, IRR67124I,.
Figure 7. New Panels for RACF Panel Description Support ICHP241n This panel enables you to add an entry for the conditional access list and to identify the access authority for it.
Publications Library Figure 10 lists changes to the OS/390 Security Server (RACF) publications library. Note: You are able to print the softcopy documentation, either in its entirety or simply portions of it.
Chapter 4. Planning Considerations This chapter describes the following high-level planning considerations for customers upgrading to OS/390 Release 4 Security Server (RACF) from OS/390 Release 3 Secu.
– OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 1.(GC28-1920-00) If you have RACF 1.9.2 installed, in addition to this book, you should read: – OS/390 Secur.
Compatibility This section describes considerations for compatibility between OS/390 Release 4 Security Server (RACF) and OS/390 Release 3 Security Server (RACF). OpenEdition MVS If you are an OpenEdition MVS user, be sure to review carefully the following information on possible changes.
24 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 5. Installation Considerations This chapter describes the following changes of interest to the system programmer installing OS/390 Release 4 Security Server (RACF): Virtual storage considerations Templates RACF Storage Considerations This section discusses storage considerations for RACF.
Figure 11 (Page 2 of 3). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size ESQA RACF data sharing control area 300 (when enabled for sysplex communication) Class descriptor table.
Figure 11 (Page 3 of 3). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size ECSA RACF data set descriptor table and extension 168 + (896 × number_of_RACF_primary_data_sets) RACF .
28 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 6. Customization Considerations This chapter identifies customization considerations for OS/390 Release 4 Security Server (RACF). For additional information, see OS/390 Security Server (RACF) System Programmer's Guide .
Set the options in the RACF/DB2 external security module. To do this, see OS/390 Security Server (RACF) System Programmer's Guide . Decide which DB2 objects are to be protected using RACF. Define the appropriate profiles. To do this, see OS/390 Security Server (RACF) Security Administrator's Guide .
Chapter 7. Administration Considerations This chapter summarizes the changes to administration procedures that the security administrator should be aware of. For more information, see OS/390 Security Server (RACF) Security Administrator's Guide .
Enhancements of Global Access Checking When you use RACROUTE REQUEST=AUTH processing (which utilizes global access checking) for general resource classes, these classes can be processed whether or not the class is RACLISTed using SETROPTS RACLIST or RACROUTE REQUEST=LIST.
Chapter 8. Auditing Considerations This section summarizes the changes to auditing procedures for SMF records. SMF Records Figure 12 summarizes changes to SMF records created by RACF for OS/390 Release 4. These changes are general-use programming interfaces (GUPI).
34 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 9. Application Development Considerations Application development is the process of planning, designing, and coding application programs that invoke RACF functions. This section highlights new support that might affect application development procedures: Programming interfaces RELEASE=2.
36 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
Chapter 10. General User Considerations RACF general users use RACF to: Log on to the system Access resources on the system Protect their own resources and any group resources to which the.
38 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
Glossary A access . The ability to obtain the use of a protected resource. access authority . An authority related to a request for a type of access to protected resources. In RACF, the access authorities are NONE, EXECUTE, READ, UPDATE, CONTROL, and ALTER.
DATASET classes. The table is generated by executing the ICHERCDE macro once for each class. The class descriptor table contains both the IBM provided classes and also the installation defined classes. CLAUTH . See class authority . command direction .
E entity . A user, group, or resource (for example, a DASD data set) that is defined to RACF. EXTRACT request . The issuing of the RACROUTE macro with REQUEST=EXTRACT specified. An EXTRACT request retrieves or replaces certain specified fields from a RACF profile or encodes certain clear-text (readable) data.
L LIST request . The issuing of the RACROUTE macro with REQUEST=LIST specified. A LIST request builds in-storage profiles for RACF-defined resources. The LIST request replaces the RACLIST function. local logical unit (LU) . Local LUs are LUs defined to the MVS system; partner LUs are defined to remote systems.
posit . A number specified for each class in the class descriptor table that identifies a set of flags that control RACF processing options. See the keyword description for posit in OS/390 Security Server (RACF) Macros and Interfaces . process . (1) A function being performed or waiting to be performed.
set that is RACF-protected by a discrete profile must also be RACF-indicated. RACROUTE macro . An assembler macro that provides a means of calling RACF to provide security functions.
supervisor . The part of a control program that coordinates the use of resources and maintains the flow of processing unit operations. Synonym for supervisory routine . supervisory routine . A routine, usually part of an operating system, that controls the execution of other routines and regulates the flow of work in a data processing system.
security program for the system. The batch job owner is specified on the USER parameter on the JOB statement or inherited from the submitter of the job. This user ID identifies a RACF user profile. OMVS user ID: A numeric value between 0 and 2147483647, called a UID (or sometimes a user number), that identifies a user to OpenEdition services.
How to Get Your RACF CD Let's face it, you have to search through a ton of hardcopy manuals to locate all of the information you need to secure your entire system.
48 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration.
Index A access list entry conditional 23 standard 23 ACEEALET keyword 16 ADDUSER command 15 administration classroom courses xiii administration considerations migration 2 ALTUSER command 7, 13, 14, 1.
getGMAP callable service 6, 12 getUMAP callable service 6, 12 global access checking 10 H hardware requirements planning considerations 22 HRF2240 9 I ICHEACTN macro, changes to 17 ICHEINTY macro, cha.
R R_Admin callable service 8, 11 RACF classroom courses xiii publications on CD-ROM xii softcopy xii RACF 1.9 migration path from 22 RACF 1.9.2 migration path from 22 RACF 2.1 migration path from 22 RACF 2.2 migration path from 21 RACF administration classroom courses xiii RACF panels changed 19 RACF releases prior to 1.
.
Readers' Comments — We'd Like to Hear from You OS/390 Security Server (RACF) Planning: Installation and Migration Publication No. GC28-1920-03 Overall, how satisfied are you with the infor.
Cut or Fold Along Line Cut or Fold Along Line Readers' Comments — We'd Like to Hear from You GC28-1920-03 IBM Fold and Tape Please do not staple Fold and Tape NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO.
.
IBM Program Number: 5647-A01 Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber. GC28-192ð-ð3.
An important point after buying a device IBM OS/390 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought IBM OS/390 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data IBM OS/390 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, IBM OS/390 you will learn all the available features of the product, as well as information on its operation. The information that you get IBM OS/390 will certainly help you make a decision on the purchase.
If you already are a holder of IBM OS/390, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime IBM OS/390.
However, one of the most important roles played by the user manual is to help in solving problems with IBM OS/390. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device IBM OS/390 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center
