OS/390Place graphic in thisarea. Outline iskeyline only. DO NOT PRINT.IBM Security Server (RACF)Planning: Installation and Migration GC28-1920-
viii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
PLPAstorage requirement 32programming interfaceschanges to CDT 13data areas 16new routines 19templates 21publicationschanges to RACF library 19on
SMF data unload utilityauditing considerations 47changes to 22SMF recordschanges to 45OpenEdition DCE support 46OpenEdition services 45SOMDOBJS cla
78 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
IBM Let's face it, you have to search through a ton ofhardcopy manuals to locate all of the information youneed to secure your entire system.
Communicating Your Comments to IBMOS/390Security Server (RACF)Planning: Installation and MigrationPublication No. GC28-1920-01If you especially like o
Reader's Comments — We'd Like to Hear from YouOS/390Security Server (RACF)Planning: Installation and MigrationPublication No. GC28-1920-01Y
Cut or FoldAlong LineCut or FoldAlong LineReader's Comments — We'd Like to Hear from YouGC28-1920-01IBMFold and Tape Please do not staple F
Figures1. Function Shipped In OS/390 Release 1 Security Server (RACF) ... 52. Function Introduced After the Availability of OS/390 Release 1 Se
IBMProgram Number: 5645-001Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.Drop in Back CoverIma
x OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
NoticesReferences in this publication to IBM products, programs, or services do not implythat IBM intends to make these available in all countries
TrademarksThe following terms are trademarks of the IBM Corporation in the United States orother countries or both: AS/400 BookManager C
About This BookThis book contains information about the Resource Access Control Facility (RACF),which is part of the OS/390 Security Server. The Se
Chapter 7, “Administration Considerations” on page 37, summarizes changesto administration procedures for the new release of RACF. Chapter 8, “
RACF CoursesThe following RACF classroom courses are also available:Effective RACF Administration, H3927MVS/ESA RACF Security Topics, H3918Impl
Other Sources of InformationIBM provides customer-accessible discussion areas where RACF may bediscussed by customer and IBM participants. Other i
You can get sample code, internally-developed tools, and exits to help you useRACF. All this code works1, but is not officially supported. Each too
Elements and Features in OS/390You can use the following table to see the relationship of a product you are familiar with and how it isreferred to
Product Name and Level Name in OS/390 Base orOptional OpenEdition Application Services OpenEdition Application Services base OpenEdition DCE Ba
xx OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
Summary of ChangesSummary of Changesfor GC28-1920-01OS/390 Release 2This book contains new information for OS/390 Release 2 Security Server (RACF).
xxii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
Chapter 1. Planning for MigrationThis chapter provides information to help you plan your installation's migration tothe new release of RACF. B
Installation ConsiderationsBefore installing a new release of RACF, you must determine what updates areneeded for IBM-supplied products, system l
Auditing ConsiderationsAuditors who are responsible for ensuring proper access control and accountabilityfor their installation are interested in
4 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
Chapter 2. Release OverviewThis chapter lists the new and enhanced features of RACF for OS/390 Release 2.It also lists the support that has not be
OS/390 IBMSecurity Server (RACF)Planning: Installation and Migration GC28-1920-01
Figure 2 on page 6 identifies function introduced after the availability of OS/390Release 1 Security Server (RACF).Figure 3 identifies function in
OS/390 OpenEdition DCE single signon support uses to sign in an authenticatedOS/390 user to DCE.The RACF support for OS/390 OpenEdition DCE include
OS/390 OpenEditionOS/390 Release 2 OpenEdition adds new capabilities for which RACF providessupport.Authorizing and Auditing Server Access to the
so that the user's information can be customized independently of the user'sworkstation type.The SystemView Launch window lets users log
Output and notifications from commands that were directed via the AT orONLYAT keywords. These are returned to the system on which the directedco
the IRRDCR00 module to allow customers to convert a 3-byte packed decimal dateto a 4-byte packed decimal date, using RACF's interpretation of
The PTF must be applied to all systems in the sysplex in order for theseenhancements to take effect. However, systems with and without the PTF app
Chapter 3. Summary of Changes to RACF Components forOS/390 Release 2This chapter summarizes the new and changed components of OS/390 Release 2Secur
Figure 7 lists classes for which there are changes.Figure 6 (Page 2 of 2). New ClassesClass Name Description SupportFILE This class controls
Figure 8. Changes to RACF CommandsCommand Description Supportall If an attempt is made to invoke a RACF commandwhen RACF is not enabled, RACF iss
Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page xi.Second Editio
Data AreasFigure 9 lists changed general-use programming interface (GUPI) data areas forSAF to support RACF for OS/390 Release 2.Figure 10 lists
Figure 11. Changed Exits for RACFExit Description SupportICHRCX01ICHRCX02For unauthenticated client ACEEs, the RACROUTEREQUEST=AUTH preprocessing
New MessagesThe following messages are added:RACF Initialization Messages: ICH562IRACF Processing Messages: IRR418IDynamic Parse (IRRDPI00 Comman
PanelsFigure 13 lists RACF panels that are changed.Figure 13. Changed Panels for RACFPanel Description SupportICHP41IICHP42IExisting panels for
SYS1.SAMPLIBFigure 16 identifies changes to RACF members of SYS1.SAMPLIB.Figure 16. Changes to SYS1.SAMPLIBMember Description SupportIRRADULD T
Figure 17. Changes to TemplatesTemplate Description of Change SupportGeneral A new SVFMR segment provides the followinginformation:Field Descrip
Figure 18. Changes to UtilitiesUtility Description of Change SupportIRRADU00 The SMF data unload utility has been updated tosupport unloading da
Chapter 4. Planning ConsiderationsThis chapter describes the following high-level planning considerations forcustomers upgrading to Security Serve
RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT or TYPE=REPLACEbefore installing OS/390 Release 2 Security Server (RACF). In addition to thisbook you should
Figure 19. Software Requirements for New FunctionFunction Software RequirementsOS/390 OpenEdition DCE interoperabilitysupportOpenEdition/MVS Rele
26 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
Chapter 5. Installation ConsiderationsThis chapter describes changes of interest to the system programmer installingOS/390 Release 2 Security Serv
prefixIs a value you specify with the PREFIX keyword on theTARGET commandsysnameIs the system name. This name must match the value in theCVTSNAME
the description of the TARGET command in OS/390 Security Server (RACF)Command Language Reference for details.If any of the INMSG or OUTMSG workspac
////// //// RRSFALTR: //// //// IDCAMS JOB to rename the workspace data
//RRSFALTR JOB 'JOB TO RENAME WORKSPACE DATA SETS',MSGLEVEL=1,1//// USE A JOBCAT OR STEPCAT WHERE NEEDED TO POINT TO THE CATALOG// THA
RACF Storage ConsiderationsThis section discusses storage considerations for RACF. Virtual StorageFigure 21 estimates RACF virtual storage usage,
Figure 21 (Page 2 of 2). RACF Estimated Storage UsageStorage Subpool Usage How to Estimate SizeELSQA Connect group table 64 + (48 × number_of
Templates for RACF on OS/390 Release 2The RACF database must have templates at the Security Server (RACF) Release 2level in order for RACF to func
Chapter 6. Customization ConsiderationsThis chapter identifies customization considerations for RACF.For additional information, see OS/390 Securi
iv OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
– The first check uses the client ACEE. This is the ACEE that is associatedwith the current task. If the request is successful, the second check i
Chapter 7. Administration ConsiderationsThis chapter summarizes the changes to administration procedures that the securityadministrator should be
database. The mvsexpt utility takes a specified input file or the DCEregistry for each principal specified and creates the RACF DCE segmentand pro
The MVS user must have saved the current DCE password in the RACF DCEsegment by invoking the DCE storepw command.Note: Users still need to maint
OpenEdition Planning, and in OS/390 OpenEdition Programming: AssemblerCallable Services Reference. The C language support for thepthread_security_
Changes to RACF Authorization ProcessingExtensions have been introduced to RACF's processing of authorization requests inwhich both the RACF i
resources. Profiles must reside in storage before RACROUTEREQUEST=FASTAUTH can be used to verify a user's access to a resource. The client/s
SystemView for MVSBefore an installation can use SystemView for MVS, the security administratormust: Create profiles in the SYSMVIEW class for Sys
44 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
Chapter 8. Auditing ConsiderationsThis section summarizes the changes to auditing procedures for the RACF: SMF records Report writer utility
ContentsNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiTrademarks . . . . . . . . . . . . . . . .
For more information on SMF records, see OS/390 Security Server (RACF) Macrosand Interfaces.Figure 23 (Page 2 of 2). Changes to SMF RecordsR
Auditing OS/390 OpenEdition DCE SupportRACF provides one new audit function code (94) to audit OS/390 OpenEdition DCEsupport.Auditing SystemView fo
48 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
Chapter 9. Operational ConsiderationsThis section summarizes the changes to operating procedures for RACF forOS/390 Release 2.Enhancements to the
50 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
Chapter 10. Application Development ConsiderationsApplication development is the process of planning, designing, and codingapplication programs tha
The security administrator has the option of enforcing the use of both theapplication server's RACF identity and the RACF identity of the cli
For more information on the convert_id_np (BPX1CID) callable service, see OS/390OpenEdition Programming: Assembler Callable Services Reference. The
“Macros” on page 17 “Templates” on page 20 “Utilities” on page 21 “Routines” on page 1954 OS/390 V1R2.0 Security Server (RACF) Planning: Inst
Chapter 11. General User ConsiderationsRACF general users use RACF to: Log on to the system Access resources on the system Protect their own res
Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Panels . . . . . . . . . . . . . . . . . . . . . . .
56 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
Chapter 12. NJE ConsiderationsSeveral APARs shipped on OS/390 Release 2 Security Server (RACF) haveimplications for NJE. APAR OW14451OS/390 Releas
Actions RequiredWith OW08457 and OW14451, group propagation and group translation has beenfixed for NODES profiles, both for batch jobs and for S
List all GROUPJ and GROUPS NODES profiles that have a UACC value greaterthan or equal to READ, recording the profile names and all keywords necessa
60 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration
Chapter 13. ScenariosThis chapter contains scenarios that might help you in planning your migration toSecurity Server (RACF) Release 2.Migrating a
2. Issue TARGET DORMANT commands from the operator's console to make allRRSF conversations dormant:prefixTARGET NODE(MIAMI1) DORMANTprefixTAR
5. Issue a TARGET command from the operator's console to define systemSYSTEM1 as the MAIN system for the multisystem node. (Issuing thiscomman
On MIAMI2: 1. Issue a TARGET command from the operator's console to define theconnection with ORLANDO.prefixTARGET NODE(ORLANDO) OPERATIVEPR
GlossaryAaccess. The ability to obtain the use of a protectedresource.access authority. An authority related to a request fora type of access to
Chapter 9. Operational Considerations . . . . . . . . . . . . . . . . . . . . . 49Enhancements to the RESTART Command ... 49Enab
user ID on the same or a different RRSF node. Beforea command can be directed from one user ID toanother, a user ID association must be defined be
FFASTAUTH request. The issuing of the RACROUTEmacro with REQUEST=FASTAUTH specified. Theprimary function of a FASTAUTH request is to check auser&a
is the local LU, and the LU through whichcommunication is received is the partner LU.local node. The RRSF node from whose point of viewyou are ta
Daemon processes, which do systemwide functionsin user mode, such as printer spooling Kernel processes, which do systemwide functions inkernel m
RRSF nodes that are logically connected, from MVSX'spoint of view MVSY is a remote node, and from MVSY'spoint of view MVSX is a remote n
sysplex communication. An optional RACF functionthat allows the system to use XCF services andcommunicate with other systems that are also enabled
OpenEdition MVS, a string that is used to identify auser.user profile. A description of a RACF-defined userthat includes the user ID, user name,
IndexAADDUSER command 15administrationclassroom courses xvadministration considerationsmigration 2Airline Control System/MVS, support for 11ALCS/
DCE support (continued)auditing considerations 47command changes 15controlling access to R_dceruid callable service 42DCEUUIDS class 13deleting RA
JJCICSJCT class 14, 53JCL for renaming workspace data sets 30KKCICSJCT class 14, 53KEYSMSTR class 14Llibrary, RACF publicationschanges to 19LSQAsto
Commentaires sur ces manuels