IBM OS/390 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

Ir a la página of

Buen manual de instrucciones

Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones IBM OS/390. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica IBM OS/390 o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.

¿Qué es un manual de instrucciones?

El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual IBM OS/390 se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.

Desafortunadamente pocos usuarios destinan su tiempo a leer manuales IBM OS/390, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.

Entonces, ¿qué debe contener el manual de instrucciones perfecto?

Sobre todo, un manual de instrucciones IBM OS/390 debe contener:
- información acerca de las especificaciones técnicas del dispositivo IBM OS/390
- nombre de fabricante y año de fabricación del dispositivo IBM OS/390
- condiciones de uso, configuración y mantenimiento del dispositivo IBM OS/390
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas

¿Por qué no leemos los manuales de instrucciones?

Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de IBM OS/390 no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de IBM OS/390 y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico IBM en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de IBM OS/390, como se suele hacer teniendo una versión en papel.

¿Por qué vale la pena leer los manuales de instrucciones?

Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo IBM OS/390, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.

Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual IBM OS/390. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.

Índice de manuales de instrucciones

  • Página 1

    OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-03[...]

  • Página 2

    [...]

  • Página 3

    OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-03[...]

  • Página 4

    Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page vii. Fourth Edition, September 1997 This is a major revision of GC28-1920-02. This edition applies to Version 2 Release 4 of OS/390 (5647-A01) and to all subsequent releases and modifications until otherwise indicated [...]

  • Página 5

    Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix About This Book .................................... x i Who Should Use This Book ............................... x i How to Use This Book ..............[...]

  • Página 6

    SYS1.SAMPLIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Publications Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Chapter 4. Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . 21 Migration Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 7

    Figures 1. New Callable Services ............................. 1 1 2. Changed Callable Services ........................... 1 2 3. New Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4. Changes to RACF Commands ......................... 1 3 5. Changes to PSPI Data Areas ......................... 1 6 6. Changed Execu[...]

  • Página 8

    vi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 9

    Notices References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program, or service may be used. A functionally equivalent pr[...]

  • Página 10

    viii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 11

    Trademarks The following terms are trademarks of the IBM Corporation in the United States or other countries or both:  AIX/6000  BookManager  CICS  CICS/ESA  DB2  DFSMS  FFST  FFST/MVS  IBM  IBMLink  IMS  Library Reader  MVS/ESA  MVS/XA  NetView  OpenEdition  OS/2  OS/390  Parallel Sysplex ?[...]

  • Página 12

    x OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 13

    About This Book This book contains information about the Resource Access Control Facility (RACF), which is part of the OS/390 Security Server. The Security Server has two components:  RACF  OpenEdition DCE Security Server For information about the OpenEdition DCE Security Server, see the publications related to that component. This book provi[...]

  • Página 14

     Chapter 6, “Customization Considerations” on page 29, highlights information about customizing function to take advantage of new support after the new release of RACF is installed.  Chapter 7, “Administration Considerations” on page 31, summarizes changes to administration procedures for the new release of RACF.  Chapter 8, “Aud[...]

  • Página 15

    RACF Courses The following RACF classroom courses are also available:  Effective RACF Administration, H3927  MVS/ESA RACF Security Topics, H3918  Implementing RACF Security for CICS/ESA, H3992 IBM provides a variety of educational offerings for RACF. For more information on classroom courses and other offerings, see your IBM representative[...]

  • Página 16

    Other Sources of Information IBM provides customer-accessible discussion areas where RACF may be discussed by customer and IBM participants. Other information is available through the Internet. IBM Discussion Areas Two discussion areas provided by IBM are the MVSRACF discussion and the SECURITY discussion.  MVSRACF MVSRACF is available to custom[...]

  • Página 17

    You can get sample code, internally-developed tools, and exits to help you use RACF. All this code works in our environment, at the time we make it available, but is not officially supported. Each tool or sample has a README file that describes the tool or sample and any restrictions on its use. The simplest way to reach this code is through the RA[...]

  • Página 18

    xvi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 19

    Summary of Changes | Summary of Changes | for GC28-1920-03 | OS/390 Version 2 Release 4 | This book contains primarily new information for OS/390 Version 2 Release 4 | Security Server (RACF). When any information appeared in an earlier release, the | information that is new is indicated by a vertical line to the left of the change. Summary of Chang[...]

  • Página 20

    xviii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 21

    Chapter 1. Planning for Migration This chapter provides information to help you plan your installation's migration to the new release of OS/390 Security Server (RACF). Before attempting to migrate, you should define a plan to ensure a smooth and orderly transition. A well thought-out and documented migration plan can help minimize any interrup[...]

  • Página 22

    Installation Considerations Before installing a new release of RACF, you must determine what updates are needed for IBM-supplied products, system libraries, and non-IBM products. (Procedures for installing RACF are described in the program directory shipped with OS/390, not in this book.) Be sure you include the following steps when planning your p[...]

  • Página 23

    Auditing Considerations Auditors who are responsible for ensuring proper access control and accountability for their installation are interested in changes to security options, audit records, and report generation utilities. For more information, see Chapter 8, “Auditing Considerations” on page 33. Application Development Considerations Applica[...]

  • Página 24

    4 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 25

    Chapter 2. Release Overview This chapter lists the new and enhanced functions of RACF for OS/390 Release 4 and gives a brief overview of each new function or function enhancement. New and Enhanced Support For OS/390 Release 4, RACF provides:  Support for the RACF/DB2 external security module  Additional auditing of OpenEdition superusers stat[...]

  • Página 26

    Enhancements to Support for OpenEdition Services Enhancements to RACF's support for OpenEdition services include:  Extended ability to audit the use of superuser status  Default USER/GROUP support provided by APAR OW26800 Extended Ability to Audit the Use of Superuser Status This support allows the auditing of the new OpenEdition spawn s[...]

  • Página 27

    The getUMAP and getGMAP services also look for default values. If getUMAP is given a UID as input and the corresponding USER profile has no OMVS segment, the caller of the getUMAP service receives the default. If no default value is found, RACF return code 8, reason code 4 are returned by the getUMAP service. If a UID is passed to getUMAP, then it [...]

  • Página 28

     The ALTUSER command allows an administrator to reset a user's password to a temporary password or a default value. This command is modified to save the old password whenever the password is reset.  The PASSWORD USER ( userid ) command provides users and administrators with a password reset function. This command is modified to save the [...]

  • Página 29

    system. This support provides a solution to many customers that find themselves in such a situation. The PERMIT command has a new keyword to add users and groups to the conditional access list, WHEN(SYSID(...)). This keyword is allowed only for the PROGRAM class. WHEN(SYSID(...)) is similar to the existing keywords WHEN(TERMINAL(...)), WHEN(PROGRAM[...]

  • Página 30

    Enable/Disable Changes OS/390 Version 2 Release 4 has a new product ID that affects the enable/disable function in all of its elements including the Security Server. The ID() value used in the IFAPRDxx parmlib member needs to be "5647-A01". The remainder of the parameters remain the same. Without this necessary change to the ID() paramete[...]

  • Página 31

    Chapter 3. Summary of Changes to RACF Components for OS/390 Release 4 This chapter summarizes the new and changed components of OS/390 Release 4 Security Server (RACF). It includes the following summary charts for changes to the RACF:  Callable Services  Class descriptor table (CDT)  Commands  Data Areas  Exits  Macros  Message[...]

  • Página 32

    Figure 2. Changed Callable Services Callable Service Name Description Support initUSP  If no OMVS segment is found in the user's profile, the initUSP service checks the BPX.DEFAULT.USER profile in the FACILITY class. This profile may contain a user ID in its application data field that provides a default OMVS segment. If this default is fou[...]

  • Página 33

    Figure 3. New Classes Name Description Support DSNADM DB2 administrative authority class DB2 GDSNBP Grouping class for buffer pool privileges DB2 GDSNCL Grouping class for collection privileges DB2 GDSNDB Grouping class for database privileges DB2 GDSNPK Grouping class for package privileges DB2 GDSNPN Grouping class for plan privileges DB2 GDSNSG [...]

  • Página 34

    Figure 4 (Page 2 of 3). Changes to RACF Commands Command Description Support ALTUSER This command supports the removal of all of the user's CLAUTH authorities by using NOCLAUTH(*). For more information on the ALTUSER NOCLAUTH keywords, see OS/390 Security Server (RACF) Command Language Reference . TME 10 PERMIT The PERMIT command allows the ke[...]

  • Página 35

    Figure 4 (Page 3 of 3). Changes to RACF Commands Command Description Support TARGET The new keyword WDSQUAL is added to the RACF TARGET command to indicate that the variable that follows will be used by RRSF as the middle qualifier for the work space data set names of the INMSG and OUTMSG queues for the local RRSF node defined by the TARGET command[...]

  • Página 36

    Figure 5. Changes to PSPI Data Areas Data Area Description Support AFC This data area maps the contents for the Open Edition MVS security audit function codes. An audit function code has been added to audit when ck_priv is called from OpenEdition_spawn (BPX1SPN). Auditability of super user requests. COMP This data area maps the common SAF/RACF para[...]

  • Página 37

    RFXALET and RFXLOGS correspond to new fields in the RACROUTE REQUEST=FASTAUTH parameter list. These fields only exist in parameter lists created with RELEASE=2.4 or higher. Therefore, these fields must only be accessed when the RFXPVERS indicates Release 2.4 or higher. Macros Figure 6 lists changes to executable macros for OS/390 Release 4. These a[...]

  • Página 38

    RALTER Command Messages: ICH11304I SETROPTS Command Messages: ICH14042I RACF Manager Error Messages: ICH51011I RACF Processing Messages: IRR410I RACF Utility Messages: IRR67032I, IRR67034I, IRR67124I, IRR67153I, IRR67183I RRSF Enveloping Messages: IRRV002I, IRRV005I, IRRV013I, IRRV014I RACF Operational Modes and Coupling Facility Messages: IRRX013A[...]

  • Página 39

    Figure 7. New Panels for RACF Panel Description Support ICHP241n This panel enables you to add an entry for the conditional access list and to identify the access authority for it. Program control by system ID ICHP242n This panel enables you to remove an entry from the conditional access list and to identify the access list from which conditions ar[...]

  • Página 40

    Publications Library Figure 10 lists changes to the OS/390 Security Server (RACF) publications library. Note: You are able to print the softcopy documentation, either in its entirety or simply portions of it. Figure 10. Changes to the RACF Publications Library Publication Change OS/390 Security Server (RACF) Callable Services This publication is av[...]

  • Página 41

    Chapter 4. Planning Considerations This chapter describes the following high-level planning considerations for customers upgrading to OS/390 Release 4 Security Server (RACF) from OS/390 Release 3 Security Server (RACF):  Migration strategy  Migration paths  Hardware requirements  Compatibility Migration Strategy The recommended steps fo[...]

  • Página 42

    – OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 1.(GC28-1920-00) If you have RACF 1.9.2 installed, in addition to this book, you should read: – OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 2, (GC28-1920-01) and Release 3 (GC28-1920-02) – OS/390 Security Server (R[...]

  • Página 43

    Compatibility This section describes considerations for compatibility between OS/390 Release 4 Security Server (RACF) and OS/390 Release 3 Security Server (RACF). OpenEdition MVS If you are an OpenEdition MVS user, be sure to review carefully the following information on possible changes. For Auditability of Superusers If you are not already auditi[...]

  • Página 44

    24 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 45

    Chapter 5. Installation Considerations This chapter describes the following changes of interest to the system programmer installing OS/390 Release 4 Security Server (RACF):  Virtual storage considerations  Templates RACF Storage Considerations This section discusses storage considerations for RACF. Using the RACF DB2 external security module [...]

  • Página 46

    Figure 11 (Page 2 of 3). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size ESQA RACF data sharing control area 300 (when enabled for sysplex communication) Class descriptor table (CNSX) (number_of_IBM-defined_classes × 28) + (number_of_IBM-defined_entries_in_router_table × 30) + (number_of_customer_defined_classes × 58) + 2[...]

  • Página 47

    Figure 11 (Page 3 of 3). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size ECSA RACF data set descriptor table and extension 168 + (896 × number_of_RACF_primary_data_sets) RACF ICB (non-shared DB) 4096 per RACF database if the database is not shared and is not on a device marked as shared, 0 otherwise | RACF program control t[...]

  • Página 48

    28 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 49

    Chapter 6. Customization Considerations This chapter identifies customization considerations for OS/390 Release 4 Security Server (RACF). For additional information, see OS/390 Security Server (RACF) System Programmer's Guide . Customer Additions to the Router Table and the CDT Installations must verify that classes they have added to the rout[...]

  • Página 50

     Set the options in the RACF/DB2 external security module. To do this, see OS/390 Security Server (RACF) System Programmer's Guide .  Decide which DB2 objects are to be protected using RACF. Define the appropriate profiles. To do this, see OS/390 Security Server (RACF) Security Administrator's Guide .  Activate the RACF/DB2 exter[...]

  • Página 51

    Chapter 7. Administration Considerations This chapter summarizes the changes to administration procedures that the security administrator should be aware of. For more information, see OS/390 Security Server (RACF) Security Administrator's Guide . The TMEADMIN Class The new TMEADMIN class is used to associate a TME administrator with a RACF MVS[...]

  • Página 52

    Enhancements of Global Access Checking When you use RACROUTE REQUEST=AUTH processing (which utilizes global access checking) for general resource classes, these classes can be processed whether or not the class is RACLISTed using SETROPTS RACLIST or RACROUTE REQUEST=LIST. 32 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 53

    Chapter 8. Auditing Considerations This section summarizes the changes to auditing procedures for SMF records. SMF Records Figure 12 summarizes changes to SMF records created by RACF for OS/390 Release 4. These changes are general-use programming interfaces (GUPI). For more information on SMF records, see OS/390 Security Server (RACF) Macros and In[...]

  • Página 54

    34 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 55

    Chapter 9. Application Development Considerations Application development is the process of planning, designing, and coding application programs that invoke RACF functions. This section highlights new support that might affect application development procedures:  Programming interfaces  RELEASE=2.4 keyword on macros  Changes to RACROUTE RE[...]

  • Página 56

    36 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 57

    Chapter 10. General User Considerations RACF general users use RACF to:  Log on to the system  Access resources on the system  Protect their own resources and any group resources to which they have administrative authority For more information on the output general users might receive, see OS/390 Security Server (RACF) General User's [...]

  • Página 58

    38 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 59

    Glossary A access . The ability to obtain the use of a protected resource. access authority . An authority related to a request for a type of access to protected resources. In RACF, the access authorities are NONE, EXECUTE, READ, UPDATE, CONTROL, and ALTER. accessor environment element (ACEE) . A description of the current user, including user ID, [...]

  • Página 60

    DATASET classes. The table is generated by executing the ICHERCDE macro once for each class. The class descriptor table contains both the IBM provided classes and also the installation defined classes. CLAUTH . See class authority . command direction . A RRSF function that allows a user to issue a command from one user ID and direct that command to[...]

  • Página 61

    E entity . A user, group, or resource (for example, a DASD data set) that is defined to RACF. EXTRACT request . The issuing of the RACROUTE macro with REQUEST=EXTRACT specified. An EXTRACT request retrieves or replaces certain specified fields from a RACF profile or encodes certain clear-text (readable) data. The EXTRACT request replaces the RACXTR[...]

  • Página 62

    L LIST request . The issuing of the RACROUTE macro with REQUEST=LIST specified. A LIST request builds in-storage profiles for RACF-defined resources. The LIST request replaces the RACLIST function. local logical unit (LU) . Local LUs are LUs defined to the MVS system; partner LUs are defined to remote systems. It is a matter of point of view. From [...]

  • Página 63

    posit . A number specified for each class in the class descriptor table that identifies a set of flags that control RACF processing options. See the keyword description for posit in OS/390 Security Server (RACF) Macros and Interfaces . process . (1) A function being performed or waiting to be performed. (2) An executing function, or one waiting to [...]

  • Página 64

    set that is RACF-protected by a discrete profile must also be RACF-indicated. RACROUTE macro . An assembler macro that provides a means of calling RACF to provide security functions. See also AUDIT request, AUTH request, DEFINE request, DIRAUTH request, EXTRACT request, FASTAUTH request, LIST request, SIGNON request, STAT request, TOKENBLD request,[...]

  • Página 65

    supervisor . The part of a control program that coordinates the use of resources and maintains the flow of processing unit operations. Synonym for supervisory routine . supervisory routine . A routine, usually part of an operating system, that controls the execution of other routines and regulates the flow of work in a data processing system. Synon[...]

  • Página 66

    security program for the system. The batch job owner is specified on the USER parameter on the JOB statement or inherited from the submitter of the job. This user ID identifies a RACF user profile.  OMVS user ID: A numeric value between 0 and 2147483647, called a UID (or sometimes a user number), that identifies a user to OpenEdition services. T[...]

  • Página 67

    How to Get Your RACF CD Let's face it, you have to search through a ton of hardcopy manuals to locate all of the information you need to secure your entire system. There are manuals for OS/390, VM, CICS, TSO/E; technical bulletins from the International Technical Support Organization (“red books”), Washington Systems Center (“orange book[...]

  • Página 68

    48 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Página 69

    Index A access list entry conditional 23 standard 23 ACEEALET keyword 16 ADDUSER command 15 administration classroom courses xiii administration considerations migration 2 ALTUSER command 7, 13, 14, 15 application development considerations migration 3 auditing 23 auditing considerations changed SMF records 33 migration 3 superuser status 6 C calla[...]

  • Página 70

    getGMAP callable service 6, 12 getUMAP callable service 6, 12 global access checking 10 H hardware requirements planning considerations 22 HRF2240 9 I ICHEACTN macro, changes to 17 ICHEINTY macro, changes to 17 ICHETEST macro, changes to 17 initUSP callable service 6, 12 installation considerations 25 templates 27 installation exits 1 See also exit[...]

  • Página 71

    R R_Admin callable service 8, 11 RACF classroom courses xiii publications on CD-ROM xii softcopy xii RACF 1.9 migration path from 22 RACF 1.9.2 migration path from 22 RACF 2.1 migration path from 22 RACF 2.2 migration path from 21 RACF administration classroom courses xiii RACF panels changed 19 RACF releases prior to 1.9 migration path from 22 RAC[...]

  • Página 72

    [...]

  • Página 73

    Readers' Comments — We'd Like to Hear from You OS/390 Security Server (RACF) Planning: Installation and Migration Publication No. GC28-1920-03 Overall, how satisfied are you with the information in this book? How satisfied are you that the information in this book is: Please tell us how we can improve this book: Thank you for your respo[...]

  • Página 74

    Cut or Fold Along Line Cut or Fold Along Line Readers' Comments — We'd Like to Hear from You GC28-1920-03 IBM  Fold and Tape Please do not staple Fold and Tape NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO. 40 ARMONK, NEW YORK POSTAGE WILL BE PAID BY ADDRESSEE IBM Corporation Depar[...]

  • Página 75

    [...]

  • Página 76

    IBM  Program Number: 5647-A01 Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber. GC28-192ð-ð3[...]