IBM GC28-1920-01 - Manual

iv OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Who Should U...

Chapter 9. Operational Considerations . . . . . . . . . . . . . . . . . . . . . 49 Enhancements to the RESTART Command . . . . . . . . . . . . . . . . . . . . 49 Enabling and Disabling RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Chapter 10. Application Development Considerations ...

viii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Figures 1. Function Shipped In OS/390 Release 1 Security Server (RACF) . . . . . . 5 2. Function Introduced After the Availability of OS/390 Release 1 SecurityServer (RACF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Function Introduced In OS/390 Release 2 Security Ser...

Notices References in this publication to IBM products, programs, or services do not implythat IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state orimply that only IBM's product, program or service...

Trademarks The following terms are trademarks of the IBM Corporation in the United States orother countries or both: Ÿ AS/400 Ÿ BookManager Ÿ CICS Ÿ CICS/ESA Ÿ DB2 Ÿ DFSMS Ÿ DFSMS/MVS Ÿ IBM Ÿ IBMLink Ÿ IMS Ÿ Library Reader Ÿ MVS Ÿ MVS/ESA Ÿ MVS/XA Ÿ NetView Ÿ OpenEdition Ÿ OS/2 Ÿ OS/390 Ÿ Parallel S...

About This Book This book contains information about the Resource Access Control Facility (RACF),which is part of the OS/390 Security Server. The Security Server has twocomponents: Ÿ RACF Ÿ OpenEdition DCE Security Server For information about the OpenEdition DCE Security Server, see the publication...

Ÿ Chapter 7, “Administration Considerations” on page 37, summarizes changesto administration procedures for the new release of RACF. Ÿ Chapter 8, “Auditing Considerations” on page 45, summarizes changes toauditing procedures for the new release of RACF. Ÿ Chapter 9, “Operational Considerations” on p...

RACF Courses The following RACF classroom courses are also available: Ÿ Effective RACF Administration, H3927 Ÿ MVS/ESA RACF Security Topics, H3918 Ÿ Implementing RACF Security for CICS/ESA, H3992 IBM provides a variety of educational offerings for RACF. For more information onclassroom courses and o...

Other Sources of Information IBM provides customer-accessible discussion areas where RACF may bediscussed by customer and IBM participants. Other information is available throughthe Internet. IBM Discussion Areas Two discussion areas provided by IBM are the MVSRACF discussion and theSECURITY discuss...

You can get sample code, internally-developed tools, and exits to help you useRACF. All this code works 1 , but is not officially supported. Each tool or sample has a README file that describes the tool or sample and any restrictions on itsuse. The simplest way to reach this code is through the RACF...

Elements and Features in OS/390 You can use the following table to see the relationship of a product you are familiar with and how it isreferred to in OS/390 Release 2. OS/390 Release 2 is made up of elements and features that containfunction at or beyond the release level of the products listed in ...

Product Name and Level Name in OS/390 Base orOptional Ÿ OpenEdition Application Services Ÿ OpenEdition Application Services base Ÿ OpenEdition DCE Base Services (OSFDCE level 1.1) Ÿ OpenEdition DCE Base Services base Ÿ OpenEdition DCE Distributed File Service(DFS) (OSF DCE level 1.1) Ÿ OpenEdition D...

xx OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Summary of Changes Summary of Changesfor GC28-1920-01OS/390 Release 2 This book contains new information for OS/390 Release 2 Security Server (RACF). Summary of Changesfor GC28-1920-00OS/390 Release 1 This book contains information previously presented in RACF Planning: Installation and Migration, G...

xxii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Chapter 1. Planning for Migration This chapter provides information to help you plan your installation's migration tothe new release of RACF. Before attempting to migrate, you should define a planto ensure a smooth and orderly transition. A well thought-out and documentedmigration plan can help mini...

Installation Considerations Before installing a new release of RACF, you must determine what updates areneeded for IBM-supplied products, system libraries, and non-IBM products.(Procedures for installing RACF are described in the program directory shipped withthe product, not in this book.) Be sure ...

Chapter 2. Release Overview This chapter lists the new and enhanced features of RACF for OS/390 Release 2.It also lists the support that has not been updated in the new release. New and Enhanced Support For OS/390 Release 2, RACF provides new and enhanced support for: Ÿ OS/390 OpenEdition DCE Ÿ OS/3...

Figure 2 on page 6 identifies function introduced after the availability of OS/390Release 1 Security Server (RACF). Figure 3 identifies function introduced in OS/390 Release 2 Security Server(RACF). Figure 4 identifies function not shipped in OS/390 Release 2 Security Server(RACF), but available via...

OS/390 OpenEdition OS/390 Release 2 OpenEdition adds new capabilities for which RACF providessupport. Authorizing and Auditing Server Access to the CCS and WLMServices OS/390 Release 2 OpenEdition adds the capability to check whether servers areauthorized to use the console communications service (C...

so that the user's information can be customized independently of the user'sworkstation type. The SystemView Launch window lets users log on once, authenticating with theirRACF password, and then get access to applications that SystemView for MVSsupports by selecting an application from their custom...

Ÿ Output and notifications from commands that were directed via the AT orONLYAT keywords. These are returned to the system on which the directedcommand was issued. Ÿ Notifications from RACLINK commands. These are returned to the system onwhich the RACLINK command was issued. Ÿ Output from password c...

the IRRDCR00 module to allow customers to convert a 3-byte packed decimal dateto a 4-byte packed decimal date, using RACF's interpretation of the yy value. For more information on IRRDCR00, see “Year 2000 Support” on page 51. NetView RACF has added the NGMFVSPN field to the NETVIEW segment of the RA...

The PTF must be applied to all systems in the sysplex in order for theseenhancements to take effect. However, systems with and without the PTF appliedcan coexist in the sysplex, and there is no requirement to IPL all systems in thesysplex when the PTF is applied. Note: PTF UW90293 is not shipped wit...

Figure 7 lists classes for which there are changes. Figure 6 (Page 2 of 2). New Classes Class Name Description Support FILE This class controls protection of shared file system(SFS) files on VM. RACF 1.10for VM KEYSMSTR This class holds a key to encrypt DCE passwordsstored in the RACF database. The ...

New Messages The following messages are added: RACF Initialization Messages: ICH562I RACF Processing Messages: IRR418I Dynamic Parse (IRRDPI00 Command) Messages: IRR52152I RACF Database Split/Merge Utility (IRRUT400) Messages: IRR65038I Messages Issued by the RACF Subsystem: IRRB022I, IRRB077I, IRRB...

Panels Figure 13 lists RACF panels that are changed. Figure 13. Changed Panels for RACF Panel Description Support ICHP41IICHP42I Existing panels for user administration of theNETVIEW segment have been updated to allow auser to add, change, or delete the NGMFVSPNfield. NetView Publications Library Fi...

SYS1.SAMPLIB Figure 16 identifies changes to RACF members of SYS1.SAMPLIB. Figure 16. Changes to SYS1.SAMPLIB Member Description Support IRRADULD This member has been updated with the SMF type80 record for the new event code 65. OS/390OpenEdition IRRADULD This member has been updated to support RACF...

Figure 17. Changes to Templates Template Description of Change Support General A new SVFMR segment provides the followinginformation: Field Description SCRIPTN Script name PARMN Parameter list name SystemViewfor MVS Group A new OVM segment provides OpenEdition for VMinformation associated with a gro...

Chapter 4. Planning Considerations This chapter describes the following high-level planning considerations forcustomers upgrading to Security Server (RACF) Release 2 from Security Server(RACF) Release 1: Ÿ Migration strategy Ÿ Migration paths Ÿ Hardware requirements Ÿ Software requirements Ÿ Compati...

Figure 19. Software Requirements for New Function Function Software Requirements OS/390 OpenEdition DCE interoperabilitysupport OpenEdition/MVS Release 3 plus APAROW15865 (PTF UW23684)C Run Time Library plus APAR PN75309(PTF UN90158) SOMobjects for MVS support Version 1 Release 2 of SOMobjects forMV...

Chapter 5. Installation Considerations This chapter describes changes of interest to the system programmer installingOS/390 Release 2 Security Server (RACF): Ÿ Enabling RACF Ÿ Considerations for RRSF networks Ÿ Virtual storage considerations Ÿ Customer additions to the CDT Ÿ Templates Enabling RACF ...

RACF Storage Considerations This section discusses storage considerations for RACF. Virtual Storage Figure 21 estimates RACF virtual storage usage, for planning purposes. Figure 21 (Page 1 of 2). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size FLPA RACF service routines, if I...

Figure 21 (Page 2 of 2). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size ELSQA Connect group table 64 + (48 × number_of_groups_connected) In-storage generic profiles 160 + number_of_generic_profiles × (14 + average_profile_size +average_profile_name_length) RACF storage track...

Templates for RACF on OS/390 Release 2 The RACF database must have templates at the Security Server (RACF) Release 2level in order for RACF to function properly. If a Security Server (RACF) Release 2system is sharing the database with a lower-level system (RACF 1.9, RACF 1.9.2,RACF 1.10, RACF 2.1, R...

Chapter 6. Customization Considerations This chapter identifies customization considerations for RACF. For additional information, see OS/390 Security Server (RACF) System Programmer's Guide. Customer Additions to the CDT Installations must verify that classes they have added to the class descriptor...

– The first check uses the client ACEE. This is the ACEE that is associated with the current task. If the request is successful, the second check isperformed. – The second check uses the ACEE associated with the server. This is the same ACEE that is associated with the address space. When each of th...

Chapter 7. Administration Considerations This chapter summarizes the changes to administration procedures that the securityadministrator should be aware of. For more information, see OS/390 Security Server (RACF) Security Administrator's Guide. OS/390 OpenEdition DCE The interoperation of RACF with ...

database. The mvsexpt utility takes a specified input file or the DCEregistry for each principal specified and creates the RACF DCE segmentand profiles in the RACF general resource class, DCEUUIDS. For more information on these utilities, see OpenEdition DCE Administration Guide. Although you can ad...

Ÿ The MVS user must have saved the current DCE password in the RACF DCEsegment by invoking the DCE storepw command. Note: Users still need to maintain their passwords for RACF and OpenEdition DCE separately, and must use the DCE storepw to keep the DCEpassword that is stored in RACF current. Single ...

OpenEdition Planning, and in OS/390 OpenEdition Programming: AssemblerCallable Services Reference. The C language support for thepthread_security_np() function is discussed in OS/390 R2 C/C ++ Run-Time Library Reference. Threads and Security An application that uses the pthread_security_np service c...

Changes to RACF Authorization Processing Extensions have been introduced to RACF's processing of authorization requests inwhich both the RACF identity of the server and the RACF identity of a client of the server application are used in a resource access decision. RACF support for OpenEdition DCE in...

resources. Profiles must reside in storage before RACROUTEREQUEST=FASTAUTH can be used to verify a user's access to a resource. Ÿ The client/server relationship is not propagated from the application server. If the security administrator implements access control to resources that use both the serve...

SystemView for MVS Before an installation can use SystemView for MVS, the security administratormust: Ÿ Create profiles in the SYSMVIEW class for SystemView for MVS applications.The profiles define logon script and parameter information for the applications. Ÿ Authorize SystemView for MVS users to a...

Chapter 8. Auditing Considerations This section summarizes the changes to auditing procedures for the RACF: Ÿ SMF records Ÿ Report writer utility Ÿ SMF data unload utility The auditor must decide on appropriate global auditing options for the new classesand on which auditing reports are to be produc...

For more information on SMF records, see OS/390 Security Server (RACF) Macros and Interfaces. Figure 23 (Page 2 of 2). Changes to SMF Records RecordType RecordField Description of Change Support 80 Relocate65 For event code 2, this SMF recordcontains flags indicating the ACEE type: Ÿ Unauthenticated...

Auditing OS/390 OpenEdition DCE Support RACF provides one new audit function code (94) to audit OS/390 OpenEdition DCEsupport. Auditing SystemView for MVS Support Depending on the auditing options selecting when using the RACF SMF dataunload utility (IRRADU00), customers might see SMF records return...

Chapter 9. Operational Considerations This section summarizes the changes to operating procedures for RACF forOS/390 Release 2. Enhancements to the RESTART Command The RESTART command has been enhanced. The new SYSNAME keywordallows an operator to restart connections to systems on a multisystem node...

Chapter 10. Application Development Considerations Application development is the process of planning, designing, and codingapplication programs that invoke RACF functions. This section highlights newsupport that might affect application development procedures: Ÿ Year 2000 support Ÿ OS/390 OpenEditi...

The security administrator has the option of enforcing the use of both theapplication server's RACF identity and the RACF identity of the client in resource access control decisions. RACF support for OS/390 OpenEdition DCE introduces new indicators in theACEE. These indicators mark the ACEE as a cli...

Chapter 11. General User Considerations RACF general users use RACF to: Ÿ Log on to the system Ÿ Access resources on the system Ÿ Protect their own resources and any group resources to which they haveadministrative authority This chapter highlights new support that might affect general user procedur...

Chapter 12. NJE Considerations Several APARs shipped on OS/390 Release 2 Security Server (RACF) haveimplications for NJE. APAR OW14451 OS/390 Release 2 Security Server (RACF) includes a PTF that provides functionsthat change the way inbound NJE jobs and NJE sysout are handled by RACF. Ifyour install...

Actions Required With OW08457 and OW14451, group propagation and group translation has beenfixed for NODES profiles, both for batch jobs and for SYSOUT. This change cansignificantly alter the external results of your NJE environment and your installationmust decide what changes will best suit your n...

Chapter 13. Scenarios This chapter contains scenarios that might help you in planning your migration toSecurity Server (RACF) Release 2. Migrating an Existing RRSF Network to Use Multisystem Nodes If an existing RRSF network contains single-system RRSF nodes that share aRACF database, you can reconf...

5. Issue a TARGET command from the operator's console to define system SYSTEM1 as the MAIN system for the multisystem node. (Issuing thiscommand allows you to reconfigure the node to make SYSTEM2 the mainsystem at some future time.) prefixTARGET NODE(MIAMI1) SYSNAME(SYSTEM1) LOCAL MAIN OPERATIVE PRE...

On MIAMI2: 1. Issue a TARGET command from the operator's console to define the connection with ORLANDO. prefixTARGET NODE(ORLANDO) OPERATIVEPREFIX(...) PROTOCOL(...) WORKSPACE(...) Add this command to the RACF parameter library for SYSTEM2. Note: The TARGET commands for SYSTEM1 and SYSTEM2 are now i...

Glossary A access. The ability to obtain the use of a protectedresource. access authority. An authority related to a request fora type of access to protected resources. In RACF, theaccess authorities are NONE, EXECUTE, READ,UPDATE, CONTROL, and ALTER. accessor environment element (ACEE). Adescriptio...

Index A ADDUSER command 15 administration classroom courses xv administration considerations migration 2 Airline Control System/MVS, support for 11 ALCS/MVS support ALCSAUTH class 13 ALCS/MVS, support for 11 ALCSAUTH class 11, 13 ALTUSER command 15 application development considerations DCE support ...

Communicating Your Comments to IBM OS/390Security Server (RACF)Planning: Installation and Migration Publication No. GC28-1920-01 If you especially like or dislike anything about this book, please use one of the methodslisted below to send your comments to IBM. Whichever method you choose, make sure ...

Reader's Comments — We'd Like to Hear from You OS/390Security Server (RACF)Planning: Installation and Migration Publication No. GC28-1920-01 You may use this form to communicate your comments about this publication, its organization, or subjectmatter, with the understanding that IBM may use or distr...

Cut or FoldAlong Line Cut or FoldAlong Line Reader's Comments — We'd Like to Hear from YouGC28-1920-01 IBM  Fold and Tape Please do not staple Fold and Tape NO POSTAGENECESSARYIF MAILED IN THEUNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO. 40 ARMONK, NEW YORK POSTAGE WILL BE PAID BY A...

IBM  Program Number: 5645-001 Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber. Drop in Back Cover Image Here. GC28-192ð-ð1