IBM OS/390 - Manuals

SYS1.SAMPLIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Publications Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Chapter 4. Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . 21 Migration Strategy . . . . . . . ....

Figures 1. New Callable Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2. Changed Callable Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3. New Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4. Changes to RACF Commands . . ...

Notices References in this publication to IBM products, programs, or services do not implythat IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state orimply that only IBM's product, program, or servic...

viii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Trademarks The following terms are trademarks of the IBM Corporation in the United States orother countries or both: Ÿ AIX/6000 Ÿ BookManager Ÿ CICS Ÿ CICS/ESA Ÿ DB2 Ÿ DFSMS Ÿ FFST Ÿ FFST/MVS Ÿ IBM Ÿ IBMLink Ÿ IMS Ÿ Library Reader Ÿ MVS/ESA Ÿ MVS/XA Ÿ NetView Ÿ OpenEdition Ÿ OS/2 Ÿ OS/390 Ÿ Parallel...

About This Book This book contains information about the Resource Access Control Facility (RACF),which is part of the OS/390 Security Server. The Security Server has twocomponents: Ÿ RACF Ÿ OpenEdition DCE Security Server For information about the OpenEdition DCE Security Server, see the publication...

Ÿ Chapter 6, “Customization Considerations” on page 29, highlights informationabout customizing function to take advantage of new support after the newrelease of RACF is installed. Ÿ Chapter 7, “Administration Considerations” on page 31, summarizes changesto administration procedures for the new rel...

RACF Courses The following RACF classroom courses are also available: Ÿ Effective RACF Administration, H3927 Ÿ MVS/ESA RACF Security Topics, H3918 Ÿ Implementing RACF Security for CICS/ESA, H3992 IBM provides a variety of educational offerings for RACF. For more information onclassroom courses and o...

Other Sources of Information IBM provides customer-accessible discussion areas where RACF may bediscussed by customer and IBM participants. Other information is available throughthe Internet. IBM Discussion Areas Two discussion areas provided by IBM are the MVSRACF discussion and theSECURITY discuss...

You can get sample code, internally-developed tools, and exits to help you useRACF. All this code works in our environment, at the time we make it available,but is not officially supported. Each tool or sample has a README file thatdescribes the tool or sample and any restrictions on its use. The si...

xvi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Summary of Changes | Summary of Changes | for GC28-1920-03 | OS/390 Version 2 Release 4 | This book contains primarily new information for OS/390 Version 2 Release 4 | Security Server (RACF). When any information appeared in an earlier release, the | information that is new is indicated by a vertica...

xviii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 1. Planning for Migration This chapter provides information to help you plan your installation's migration tothe new release of OS/390 Security Server (RACF). Before attempting to migrate,you should define a plan to ensure a smooth and orderly transition. A wellthought-out and documented mig...

Installation Considerations Before installing a new release of RACF, you must determine what updates areneeded for IBM-supplied products, system libraries, and non-IBM products.(Procedures for installing RACF are described in the program directory shipped withOS/390, not in this book.) Be sure you i...

Chapter 2. Release Overview This chapter lists the new and enhanced functions of RACF for OS/390 Release 4and gives a brief overview of each new function or function enhancement. New and Enhanced Support For OS/390 Release 4, RACF provides: Ÿ Support for the RACF/DB2 external security module Ÿ Addit...

Enhancements to Support for OpenEdition Services Enhancements to RACF's support for OpenEdition services include: Ÿ Extended ability to audit the use of superuser status Ÿ Default USER/GROUP support provided by APAR OW26800 Extended Ability to Audit the Use of Superuser Status This support allows th...

Ÿ The ALTUSER command allows an administrator to reset a user's password toa temporary password or a default value. This command is modified to save theold password whenever the password is reset. Ÿ The PASSWORD USER ( userid) command provides users and administrators with a password reset function....

Chapter 3. Summary of Changes to RACF Components forOS/390 Release 4 This chapter summarizes the new and changed components of OS/390 Release 4Security Server (RACF). It includes the following summary charts for changes tothe RACF: Ÿ Callable Services Ÿ Class descriptor table (CDT) Ÿ Commands Ÿ Data...

Figure 3. New Classes Name Description Support DSNADM DB2 administrative authority class DB2 GDSNBP Grouping class for buffer pool privileges DB2 GDSNCL Grouping class for collection privileges DB2 GDSNDB Grouping class for database privileges DB2 GDSNPK Grouping class for package privileges DB2 GDS...

Figure 4 (Page 3 of 3). Changes to RACF Commands Command Description Support TARGET The new keyword WDSQUAL is added to theRACF TARGET command to indicate that thevariable that follows will be used by RRSF as themiddle qualifier for the work space data set namesof the INMSG and OUTMSG queues for the...

Figure 5. Changes to PSPI Data Areas Data Area Description Support AFC This data area maps the contents for the OpenEdition MVS security audit function codes. An auditfunction code has been added to audit whenck_priv is called from OpenEdition_spawn(BPX1SPN). Auditability ofsuper userrequests. COMP ...

RFXALET and RFXLOGS correspond to new fields in the RACROUTEREQUEST=FASTAUTH parameter list. These fields only exist in parameter listscreated with RELEASE=2.4 or higher. Therefore, these fields must only beaccessed when the RFXPVERS indicates Release 2.4 or higher. Macros Figure 6 lists changes to ...

RALTER Command Messages: ICH11304I SETROPTS Command Messages: ICH14042I RACF Manager Error Messages: ICH51011I RACF Processing Messages: IRR410I RACF Utility Messages: IRR67032I, IRR67034I, IRR67124I, IRR67153I,IRR67183I RRSF Enveloping Messages: IRRV002I, IRRV005I, IRRV013I, IRRV014I RACF Operation...

Publications Library Figure 10 lists changes to the OS/390 Security Server (RACF) publications library. Note: You are able to print the softcopy documentation, either in its entirety orsimply portions of it. Figure 10. Changes to the RACF Publications Library Publication Change OS/390 Security Serve...

Chapter 4. Planning Considerations This chapter describes the following high-level planning considerations forcustomers upgrading to OS/390 Release 4 Security Server (RACF) from OS/390Release 3 Security Server (RACF): Ÿ Migration strategy Ÿ Migration paths Ÿ Hardware requirements Ÿ Compatibility Mig...

– OS/390 Security Server (RACF) Planning: Installation and Migration forOS/390 Release 1.(GC28-1920-00) If you have RACF 1.9.2 installed, in addition to this book, you should read: – OS/390 Security Server (RACF) Planning: Installation and Migration forOS/390 Release 2, (GC28-1920-01) and Release 3 ...

Compatibility This section describes considerations for compatibility between OS/390 Release 4Security Server (RACF) and OS/390 Release 3 Security Server (RACF). OpenEdition MVS If you are an OpenEdition MVS user, be sure to review carefully the followinginformation on possible changes. For Auditabi...

Chapter 5. Installation Considerations This chapter describes the following changes of interest to the system programmerinstalling OS/390 Release 4 Security Server (RACF): Ÿ Virtual storage considerations Ÿ Templates RACF Storage Considerations This section discusses storage considerations for RACF....

Figure 11 (Page 3 of 3). RACF Estimated Storage Usage StorageSubpool Usage How to Estimate Size ECSA RACF data set descriptor table andextension 168 + (896 × number_of_RACF_primary_data_sets) RACF ICB (non-shared DB) 4096 per RACF database if the database is not shared and isnot on a device marked a...

Chapter 6. Customization Considerations This chapter identifies customization considerations for OS/390 Release 4 SecurityServer (RACF). For additional information, see OS/390 Security Server (RACF) System Programmer's Guide. Customer Additions to the Router Table and the CDT Installations must veri...

Ÿ Set the options in the RACF/DB2 external security module. To do this, seeOS/390 Security Server (RACF) System Programmer's Guide. Ÿ Decide which DB2 objects are to be protected using RACF. Define theappropriate profiles. To do this, see OS/390 Security Server (RACF) Security Administrator's Guide....

Chapter 7. Administration Considerations This chapter summarizes the changes to administration procedures that the securityadministrator should be aware of. For more information, see OS/390 Security Server (RACF) Security Administrator's Guide. The TMEADMIN Class The new TMEADMIN class is used to as...

Enhancements of Global Access Checking When you use RACROUTE REQUEST=AUTH processing (which utilizes globalaccess checking) for general resource classes, these classes can be processedwhether or not the class is RACLISTed using SETROPTS RACLIST orRACROUTE REQUEST=LIST. 32 OS/390 V2R4.0 Security Serv...

Chapter 8. Auditing Considerations This section summarizes the changes to auditing procedures for SMF records. SMF Records Figure 12 summarizes changes to SMF records created by RACF for OS/390Release 4. These changes are general-use programming interfaces (GUPI). For more information on SMF records...

Chapter 9. Application Development Considerations Application development is the process of planning, designing, and codingapplication programs that invoke RACF functions. This section highlights newsupport that might affect application development procedures: Ÿ Programming interfaces Ÿ RELEASE=2.4 ...

Chapter 10. General User Considerations RACF general users use RACF to: Ÿ Log on to the system Ÿ Access resources on the system Ÿ Protect their own resources and any group resources to which they haveadministrative authority For more information on the output general users might receive, see OS/390 ...

Glossary A access. The ability to obtain the use of a protectedresource. access authority. An authority related to a request fora type of access to protected resources. In RACF, theaccess authorities are NONE, EXECUTE, READ,UPDATE, CONTROL, and ALTER. accessor environment element (ACEE). Adescriptio...

How to Get Your RACF CD Let's face it, you have to search through a ton ofhardcopy manuals to locate all of the information youneed to secure your entire system. There are manualsfor OS/390, VM, CICS, TSO/E; technical bulletins fromthe International Technical Support Organization (“redbooks”), Washi...

Index A access list entry conditional 23standard 23 ACEEALET keyword 16 ADDUSER command 15 administration classroom courses xiii administration considerations migration 2 ALTUSER command 7, 13, 14, 15 application development considerations migration 3 auditing 23auditing considerations changed SMF r...

Readers' Comments — We'd Like to Hear from You OS/390Security Server (RACF)Planning: Installation and Migration Publication No. GC28-1920-03 Overall, how satisfied are you with the information in this book? How satisfied are you that the information in this book is: Please tell us how we can improve...

Cut or FoldAlong Line Cut or FoldAlong Line Readers' Comments — We'd Like to Hear from YouGC28-1920-03 IBM  Fold and Tape Please do not staple Fold and Tape NO POSTAGENECESSARYIF MAILED IN THEUNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO. 40 ARMONK, NEW YORK POSTAGE WILL BE PAID BY A...