IBM GC28-1920-01 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of IBM GC28-1920-01, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of IBM GC28-1920-01 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of IBM GC28-1920-01. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of IBM GC28-1920-01 should contain:
- informations concerning technical data of IBM GC28-1920-01
- name of the manufacturer and a year of construction of the IBM GC28-1920-01 item
- rules of operation, control and maintenance of the IBM GC28-1920-01 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of IBM GC28-1920-01 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of IBM GC28-1920-01, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the IBM service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of IBM GC28-1920-01.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the IBM GC28-1920-01 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    OS/390 Place graphic in this area. Outline is keyline only. DO NOT PRINT. IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-01[...]

  • Page 2

    [...]

  • Page 3

    OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-01[...]

  • Page 4

    Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page xi. Second Edition, September 1996 This is a major revision of GC28-1920-00. This edition applies to Version 1 Release 2 of OS/390 (5645-001) and to all subsequent releases and modifications until otherwise indicated i[...]

  • Page 5

    iii[...]

  • Page 6

    iv OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 7

    Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii About This Book ................................... xiii Who Should Use This Book .............................. xiii How to Use This Book ..............[...]

  • Page 8

    Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Publications Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Routines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 9

    Chapter 9. Operational Considerations . . . . . . . . . . . . . . . . . . . . . 49 Enhancements to the RESTART Command .................... 4 9 Enabling and Disabling RACF ............................ 4 9 Chapter 10. Application Development Considerations ............ 5 1 Year 2000 Support ................................... 5 1 OS/390 OpenEdition [...]

  • Page 10

    viii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 11

    Figures 1. Function Shipped In OS/390 Release 1 Security Server (RACF) ...... 5 2. Function Introduced After the Availability of OS/390 Release 1 Security Server (RACF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Function Introduced In OS/390 Release 2 Security Server (RACF) ..... 6 4. Function Not Shipped In OS/390 R[...]

  • Page 12

    x OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 13

    Notices References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program or service may be used. A functionally equivalent pro[...]

  • Page 14

    Trademarks The following terms are trademarks of the IBM Corporation in the United States or other countries or both:  AS/400  BookManager  CICS  CICS/ESA  DB2  DFSMS  DFSMS/MVS  IBM  IBMLink  IMS  Library Reader  MVS  MVS/ESA  MVS/XA  NetView  OpenEdition  OS/2  OS/390  Parallel Sysplex  [...]

  • Page 15

    About This Book This book contains information about the Resource Access Control Facility (RACF), which is part of the OS/390 Security Server. The Security Server has two components:  RACF  OpenEdition DCE Security Server For information about the OpenEdition DCE Security Server, see the publications related to that component. This book provi[...]

  • Page 16

     Chapter 7, “Administration Considerations” on page 37, summarizes changes to administration procedures for the new release of RACF.  Chapter 8, “Auditing Considerations” on page 45, summarizes changes to auditing procedures for the new release of RACF.  Chapter 9, “Operational Considerations” on page 49, summarizes changes to [...]

  • Page 17

    RACF Courses The following RACF classroom courses are also available:  Effective RACF Administration, H3927  MVS/ESA RACF Security Topics, H3918  Implementing RACF Security for CICS/ESA, H3992 IBM provides a variety of educational offerings for RACF. For more information on classroom courses and other offerings, see your IBM representative[...]

  • Page 18

    Other Sources of Information IBM provides customer-accessible discussion areas where RACF may be discussed by customer and IBM participants. Other information is available through the Internet. IBM Discussion Areas Two discussion areas provided by IBM are the MVSRACF discussion and the SECURITY discussion.  MVSRACF MVSRACF is available to custom[...]

  • Page 19

    You can get sample code, internally-developed tools, and exits to help you use RACF. All this code works 1 , but is not officially supported. Each tool or sample has a README file that describes the tool or sample and any restrictions on its use. The simplest way to reach this code is through the RACF home page. From the home page, click on System/[...]

  • Page 20

    Elements and Features in OS/390 You can use the following table to see the relationship of a product you are familiar with and how it is referred to in OS/390 Release 2. OS/390 Release 2 is made up of elements and features that contain function at or beyond the release level of the products listed in the following table. The table gives the name an[...]

  • Page 21

    Product Name and Level Name in OS/390 Base or Optional  OpenEdition Application Services  OpenEdition Application Services base  OpenEdition DCE Base Services (OSF DCE level 1.1)  OpenEdition DCE Base Services base  OpenEdition DCE Distributed File Service (DFS) (OSF DCE level 1.1)  OpenEdition DCE Distributed File Service (DFS) b[...]

  • Page 22

    xx OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 23

    Summary of Changes Summary of Changes for GC28-1920-01 OS/390 Release 2 This book contains new information for OS/390 Release 2 Security Server (RACF). Summary of Changes for GC28-1920-00 OS/390 Release 1 This book contains information previously presented in RACF Planning: Installation and Migration , GC23-3736, which supports RACF Version 2 Relea[...]

  • Page 24

    xxii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 25

    Chapter 1. Planning for Migration This chapter provides information to help you plan your installation's migration to the new release of RACF. Before attempting to migrate, you should define a plan to ensure a smooth and orderly transition. A well thought-out and documented migration plan can help minimize any interruption of service. Your mig[...]

  • Page 26

    Installation Considerations Before installing a new release of RACF, you must determine what updates are needed for IBM-supplied products, system libraries, and non-IBM products. (Procedures for installing RACF are described in the program directory shipped with the product, not in this book.) Be sure you include the following steps when planning y[...]

  • Page 27

    Auditing Considerations Auditors who are responsible for ensuring proper access control and accountability for their installation are interested in changes to security options, audit records, and report generation utilities. For more information, see Chapter 8, “Auditing Considerations” on page 45. Operational Considerations The installation of[...]

  • Page 28

    4 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 29

    Chapter 2. Release Overview This chapter lists the new and enhanced features of RACF for OS/390 Release 2. It also lists the support that has not been updated in the new release. New and Enhanced Support For OS/390 Release 2, RACF provides new and enhanced support for:  OS/390 OpenEdition DCE  OS/390 OpenEdition MVS  SOMobjects for MVS, Ve[...]

  • Page 30

    Figure 2 on page 6 identifies function introduced after the availability of OS/390 Release 1 Security Server (RACF). Figure 3 identifies function introduced in OS/390 Release 2 Security Server (RACF). Figure 4 identifies function not shipped in OS/390 Release 2 Security Server (RACF), but available via PTF. Figure 2. Function Introduced After the A[...]

  • Page 31

    OS/390 OpenEdition DCE single signon support uses to sign in an authenticated OS/390 user to DCE. The RACF support for OS/390 OpenEdition DCE includes:  The DCE segment, which contains DCE information associated with a RACF user  The KEYSMSTR class, which holds a key to encrypt the DCE password  The DCEUUIDS class, which is used to define [...]

  • Page 32

    OS/390 OpenEdition OS/390 Release 2 OpenEdition adds new capabilities for which RACF provides support. Authorizing and Auditing Server Access to the CCS and WLM Services OS/390 Release 2 OpenEdition adds the capability to check whether servers are authorized to use the console communications service (CCS) and the workload manager (WLM) service. RAC[...]

  • Page 33

    so that the user's information can be customized independently of the user's workstation type. The SystemView Launch window lets users log on once, authenticating with their RACF password, and then get access to applications that SystemView for MVS supports by selecting an application from their customized task tree, without needing to sp[...]

  • Page 34

     Output and notifications from commands that were directed via the AT or ONLYAT keywords. These are returned to the system on which the directed command was issued.  Notifications from RACLINK commands. These are returned to the system on which the RACLINK command was issued.  Output from password changes when automatic password direction [...]

  • Page 35

    the IRRDCR00 module to allow customers to convert a 3-byte packed decimal date to a 4-byte packed decimal date, using RACF's interpretation of the yy value. For more information on IRRDCR00, see “Year 2000 Support” on page 51. NetView RACF has added the NGMFVSPN field to the NETVIEW segment of the RACF user profile for future use by the Ne[...]

  • Page 36

    The PTF must be applied to all systems in the sysplex in order for these enhancements to take effect. However, systems with and without the PTF applied can coexist in the sysplex, and there is no requirement to IPL all systems in the sysplex when the PTF is applied. Note: PTF UW90293 is not shipped with OS/390 Release 2 Security Server (RACF). You [...]

  • Page 37

    Chapter 3. Summary of Changes to RACF Components for OS/390 Release 2 This chapter summarizes the new and changed components of OS/390 Release 2 Security Server (RACF). It includes summary charts for changes to the RACF:  Class descriptor table (CDT)  Commands  Data Areas  Exits  Macros  Messages  Panels  Publications Librar[...]

  • Page 38

    Figure 7 lists classes for which there are changes. Figure 6 (Page 2 of 2). New Classes Class Name Description Support FILE This class controls protection of shared file system (SFS) files on VM. RACF 1.10 for VM KEYSMSTR This class holds a key to encrypt DCE passwords stored in the RACF database. The profile in this class is named: DCE.PASSWORD.KE[...]

  • Page 39

    Figure 8. Changes to RACF Commands Command Description Support all If an attempt is made to invoke a RACF command when RACF is not enabled, RACF issues message IRR418I, and the command is not processed. OS/390 Enable/Disable ADDUSER ALTUSER These commands accept the new NGMFVSPN subkeyword on the NETVIEW keyword for future use by the NetView Graphi[...]

  • Page 40

    Data Areas Figure 9 lists changed general-use programming interface (GUPI) data areas for SAF to support RACF for OS/390 Release 2. Figure 10 lists changed product-sensitive programming interface (PSPI) data areas for for RACF. Figure 9. Changes to SAF GUPI Data Areas Data Area Description Support ACEE This data area has been enhanced to identify a[...]

  • Page 41

    Figure 11. Changed Exits for RACF Exit Description Support ICHRCX01 ICHRCX02 For unauthenticated client ACEEs, the RACROUTE REQUEST=AUTH preprocessing and postprocessing exits are invoked for both the client ACEE and the server ACEE. For more information, see “Effects of OS/390 OpenEdition DCE Support on ICHRCX01, ICHRCX02, and IRRSXT00” on pag[...]

  • Page 42

    New Messages The following messages are added: RACF Initialization Messages: ICH562I RACF Processing Messages: IRR418I Dynamic Parse (IRRDPI00 Command) Messages: IRR52152I RACF Database Split/Merge Utility (IRRUT400) Messages: IRR65038I Messages Issued by the RACF Subsystem: IRRB022I, IRRB077I, IRRB078I, IRRB079I, IRRB080I, IRRB081I, IRRB082I RRSF [...]

  • Page 43

    Panels Figure 13 lists RACF panels that are changed. Figure 13. Changed Panels for RACF Panel Description Support ICHP41I ICHP42I Existing panels for user administration of the NETVIEW segment have been updated to allow a user to add, change, or delete the NGMFVSPN field. NetView Publications Library Figure 14 lists changes to the OS/390 Security S[...]

  • Page 44

    SYS1.SAMPLIB Figure 16 identifies changes to RACF members of SYS1.SAMPLIB. Figure 16. Changes to SYS1.SAMPLIB Member Description Support IRRADULD This member has been updated with the SMF type 80 record for the new event code 65. OS/390 OpenEdition IRRADULD This member has been updated to support RACF 1.10 for VM audit records. RACF 1.10 for VM IRR[...]

  • Page 45

    Figure 17. Changes to Templates Template Description of Change Support General A new SVFMR segment provides the following information: Field Description SCRIPTN Script name PARMN Parameter list name SystemView for MVS Group A new OVM segment provides OpenEdition for VM information associated with a group. The segment provides the following informat[...]

  • Page 46

    Figure 18. Changes to Utilities Utility Description of Change Support IRRADU00 The SMF data unload utility has been updated to support unloading data from audit records created on a system running RACF 1.10 for VM. This support allows RACF 1.10 for VM audit records to be processed by OS/390 Security Server (RACF). RACF 1.10 for VM IRRDBU00 The RACF[...]

  • Page 47

    Chapter 4. Planning Considerations This chapter describes the following high-level planning considerations for customers upgrading to Security Server (RACF) Release 2 from Security Server (RACF) Release 1:  Migration strategy  Migration paths  Hardware requirements  Software requirements  Compatibility Migration Strategy The recommen[...]

  • Page 48

    RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT or TYPE=REPLACE before installing OS/390 Release 2 Security Server (RACF). In addition to this book you should read: – OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 1, – RACF Planning: Installation and Migration for RACF 2.1, and – RACF Migration and Planning for RA[...]

  • Page 49

    Figure 19. Software Requirements for New Function Function Software Requirements OS/390 OpenEdition DCE interoperability support OpenEdition/MVS Release 3 plus APAR OW15865 (PTF UW23684) C Run Time Library plus APAR PN75309 (PTF UN90158) SOMobjects for MVS support Version 1 Release 2 of SOMobjects for MVS Compatibility This section describes consid[...]

  • Page 50

    26 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 51

    Chapter 5. Installation Considerations This chapter describes changes of interest to the system programmer installing OS/390 Release 2 Security Server (RACF):  Enabling RACF  Considerations for RRSF networks  Virtual storage considerations  Customer additions to the CDT  Templates Enabling RACF When you install OS/390 Release 2, make[...]

  • Page 52

    prefix Is a value you specify with the PREFIX keyword on the TARGET command sysname Is the system name. This name must match the value in the CVTSNAME field for the system it identifies. ds_identity Is either INMSG or OUTMSG The naming convention for the workspace data sets for remote connections is now: prefix.local_luname.remote_luname.ds_identit[...]

  • Page 53

    the description of the TARGET command in OS/390 Security Server (RACF) Command Language Reference for details. If any of the INMSG or OUTMSG workspace data sets are not empty, you should rename them to follow the new naming convention. For an example of JCL to perform this task, see Figure 20 on page 30. 6. Restart the RACF subsystem address space [...]

  • Page 54

    //// // // // RRSFALTR: // // // // IDCAMS JOB to rename the workspace data sets when installing // // PTF UW9235 (multisy[...]

  • Page 55

    //RRSFALTR JOB 'JOB TO RENAME WORKSPACE DATA SETS',MSGLEVEL=1,1 // // USE A JOBCAT OR STEPCAT WHERE NEEDED TO POINT TO THE CATALOG // THAT CONTAINS THE INFORMATION NEEDED FOR YOUR DATA SETS. // //STEP1 EXEC PGM=IDCAMS // THE WORKSPACE DATA SETS THAT REFER TO THE LOCAL SYSTEM SHOULD // BE CHANGED AS FOLLOWS: //SYSPRINT DD[...]

  • Page 56

    RACF Storage Considerations This section discusses storage considerations for RACF. Virtual Storage Figure 21 estimates RACF virtual storage usage, for planning purposes. Figure 21 (Page 1 of 2). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size FLPA RACF service routines, if IMS or CICS is using RACF for authorization checkin[...]

  • Page 57

    Figure 21 (Page 2 of 2). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size ELSQA Connect group table 64 + (48 × number_of_groups_connected) In-storage generic profiles 160 + number_of_generic_profiles × (14 + average_profile_size + average_profile_name_length) RACF storage tracking table 3500 RACROUTE REQUEST=LIST profiles N[...]

  • Page 58

    Templates for RACF on OS/390 Release 2 The RACF database must have templates at the Security Server (RACF) Release 2 level in order for RACF to function properly. If a Security Server (RACF) Release 2 system is sharing the database with a lower-level system (RACF 1.9, RACF 1.9.2, RACF 1.10, RACF 2.1, RACF 2.2, or Security Server (RACF) Release 1), [...]

  • Page 59

    Chapter 6. Customization Considerations This chapter identifies customization considerations for RACF. For additional information, see OS/390 Security Server (RACF) System Programmer's Guide . Customer Additions to the CDT Installations must verify that classes they have added to the class descriptor table (CDT) do not conflict with new classe[...]

  • Page 60

    – The first check uses the client ACEE. This is the ACEE that is associated with the current task. If the request is successful, the second check is performed. – The second check uses the ACEE associated with the server. This is the same ACEE that is associated with the address space. When each of these checks occurs, the RACF exits ICHRCX01 an[...]

  • Page 61

    Chapter 7. Administration Considerations This chapter summarizes the changes to administration procedures that the security administrator should be aware of. For more information, see OS/390 Security Server (RACF) Security Administrator's Guide . OS/390 OpenEdition DCE The interoperation of RACF with OS/390 OpenEdition DCE enables DCE applicat[...]

  • Page 62

    database. The mvsexpt utility takes a specified input file or the DCE registry for each principal specified and creates the RACF DCE segment and profiles in the RACF general resource class, DCEUUIDS. For more information on these utilities, see OpenEdition DCE Administration Guide . Although you can administer the DCEUUIDS profiles using the RACF R[...]

  • Page 63

     The MVS user must have saved the current DCE password in the RACF DCE segment by invoking the DCE storepw command. Note: Users still need to maintain their passwords for RACF and OpenEdition DCE separately, and must use the DCE storepw to keep the DCE password that is stored in RACF current. Single signon support is not intended to be used by a[...]

  • Page 64

    OpenEdition Planning , and in OS/390 OpenEdition Programming: Assembler Callable Services Reference . The C language support for the pthread_security_np() function is discussed in OS/390 R2 C/C ++ Run-Time Library Reference . Threads and Security An application that uses the pthread_security_np service can customize the RACF identity of a thread. C[...]

  • Page 65

    Changes to RACF Authorization Processing Extensions have been introduced to RACF's processing of authorization requests in which both the RACF identity of the server and the RACF identity of a client of the server application are used in a resource access decision. RACF support for OpenEdition DCE introduces new indicators in the ACEE. These i[...]

  • Page 66

    resources. Profiles must reside in storage before RACROUTE REQUEST=FASTAUTH can be used to verify a user's access to a resource.  The client/server relationship is not propagated from the application server. If the security administrator implements access control to resources that use both the server's RACF identity and the client&apos[...]

  • Page 67

    SystemView for MVS Before an installation can use SystemView for MVS, the security administrator must:  Create profiles in the SYSMVIEW class for SystemView for MVS applications. The profiles define logon script and parameter information for the applications.  Authorize SystemView for MVS users to access the defined applications via the Syste[...]

  • Page 68

    44 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 69

    Chapter 8. Auditing Considerations This section summarizes the changes to auditing procedures for the RACF:  SMF records  Report writer utility  SMF data unload utility The auditor must decide on appropriate global auditing options for the new classes and on which auditing reports are to be produced. See OS/390 Security Server (RACF) Audit[...]

  • Page 70

    For more information on SMF records, see OS/390 Security Server (RACF) Macros and Interfaces . Figure 23 (Page 2 of 2). Changes to SMF Records Record Type Record Field Description of Change Support 80 Relocate 65 For event code 2, this SMF record contains flags indicating the ACEE type:  Unauthenticated client  Authenticated client  Server[...]

  • Page 71

    Auditing OS/390 OpenEdition DCE Support RACF provides one new audit function code (94) to audit OS/390 OpenEdition DCE support. Auditing SystemView for MVS Support Depending on the auditing options selecting when using the RACF SMF data unload utility (IRRADU00), customers might see SMF records returned for the new SYSMVIEW class and type 44 reloca[...]

  • Page 72

    48 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 73

    Chapter 9. Operational Considerations This section summarizes the changes to operating procedures for RACF for OS/390 Release 2. Enhancements to the RESTART Command The RESTART command has been enhanced. The new SYSNAME keyword allows an operator to restart connections to systems on a multisystem node. See OS/390 Security Server (RACF) Command Lang[...]

  • Page 74

    50 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 75

    Chapter 10. Application Development Considerations Application development is the process of planning, designing, and coding application programs that invoke RACF functions. This section highlights new support that might affect application development procedures:  Year 2000 support  OS/390 OpenEdition DCE Application Servers  Changes to th[...]

  • Page 76

    The security administrator has the option of enforcing the use of both the application server's RACF identity and the RACF identity of the client in resource access control decisions. RACF support for OS/390 OpenEdition DCE introduces new indicators in the ACEE. These indicators mark the ACEE as a client ACEE . Client ACEEs are created by OS/3[...]

  • Page 77

    For more information on the convert_id_np (BPX1CID) callable service, see OS/390 OpenEdition Programming: Assembler Callable Services Reference . The C language support for the __convert_id_np() is discussed in OS/390 R2 C/C ++ Run-Time Library Reference New Application Authorization Service A DCE application server on OS/390 can use DCE security s[...]

  • Page 78

     “Macros” on page 17  “Templates” on page 20  “Utilities” on page 21  “Routines” on page 19 54 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 79

    Chapter 11. General User Considerations RACF general users use RACF to:  Log on to the system  Access resources on the system  Protect their own resources and any group resources to which they have administrative authority This chapter highlights new support that might affect general user procedures. OS/390 OpenEdition DCE If an installati[...]

  • Page 80

    56 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 81

    Chapter 12. NJE Considerations Several APARs shipped on OS/390 Release 2 Security Server (RACF) have implications for NJE. APAR OW14451 OS/390 Release 2 Security Server (RACF) includes a PTF that provides functions that change the way inbound NJE jobs and NJE sysout are handled by RACF. If your installation uses NJE and RACF nodes profiles it is im[...]

  • Page 82

    Actions Required With OW08457 and OW14451, group propagation and group translation has been fixed for NODES profiles, both for batch jobs and for SYSOUT. This change can significantly alter the external results of your NJE environment and your installation must decide what changes will best suit your needs. Case 1: Nodes defined to &RACLNDE. Fo[...]

  • Page 83

    List all GROUPJ and GROUPS NODES profiles that have a UACC value greater than or equal to READ, recording the profile names and all keywords necessary to add them back later. Then delete them. These profiles were previously irrelevant but now could result in failing jobs or unowned SYSOUT. Note that GROUPJ and GROUPS NODES profiles with a UACC valu[...]

  • Page 84

    60 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 85

    Chapter 13. Scenarios This chapter contains scenarios that might help you in planning your migration to Security Server (RACF) Release 2. Migrating an Existing RRSF Network to Use Multisystem Nodes If an existing RRSF network contains single-system RRSF nodes that share a RACF database, you can reconfigure the single-system RRSF nodes to a multisys[...]

  • Page 86

    2. Issue TARGET DORMANT commands from the operator's console to make all RRSF conversations dormant: prefix TARGET NODE(MIAMI1) DORMANT prefix TARGET NODE(ORLANDO) DORMANT 3. Issue a TARGET command from the operator's console to make MIAMI1 the main system on the new multisystem node MIAMI1. The old node name is used for the new multisyst[...]

  • Page 87

    5. Issue a TARGET command from the operator's console to define system SYSTEM1 as the MAIN system for the multisystem node. (Issuing this command allows you to reconfigure the node to make SYSTEM2 the main system at some future time.) prefix TARGET NODE(MIAMI1) SYSNAME(SYSTEM1) LOCAL MAIN OPERATIVE PREFIX(...) PROTOCOL(...) WORKSPACE(...) Add [...]

  • Page 88

    On MIAMI2: 1. Issue a TARGET command from the operator's console to define the connection with ORLANDO. prefix TARGET NODE(ORLANDO) OPERATIVE PREFIX(...) PROTOCOL(...) WORKSPACE(...) Add this command to the RACF parameter library for SYSTEM2. Note: The TARGET commands for SYSTEM1 and SYSTEM2 are now identical. If you want, you can now use a si[...]

  • Page 89

    Glossary A access . The ability to obtain the use of a protected resource. access authority . An authority related to a request for a type of access to protected resources. In RACF, the access authorities are NONE, EXECUTE, READ, UPDATE, CONTROL, and ALTER. accessor environment element (ACEE) . A description of the current user, including user ID, [...]

  • Page 90

    user ID on the same or a different RRSF node. Before a command can be directed from one user ID to another, a user ID association must be defined between them via the RACLINK command. command interpreter . A program that reads the commands that you type in and then executes them. When you are typing commands into the computer, you are actually typi[...]

  • Page 91

    F FASTAUTH request . The issuing of the RACROUTE macro with REQUEST=FASTAUTH specified. The primary function of a FASTAUTH request is to check a user's authorization to a RACF-protected resource or function. A FASTAUTH request uses only in-storage profiles for faster performance. The FASTAUTH request replaces the FRACHECK function. See also au[...]

  • Page 92

    is the local LU, and the LU through which communication is received is the partner LU. local node . The RRSF node from whose point of view you are talking. For example, if MVSA and MVSB are two RRSF nodes that are logically connected, from MVSA's point of view MVSA is the local node, and from MVSB's point of view MVSB is the local node. S[...]

  • Page 93

     Daemon processes, which do systemwide functions in user mode, such as printer spooling  Kernel processes, which do systemwide functions in kernel mode, such as paging A process can run in an OpenEdition user address space, an OpenEdition forked address space, or an OpenEdition kernel address space. In an MVS system, a process is handled like[...]

  • Page 94

    RRSF nodes that are logically connected, from MVSX's point of view MVSY is a remote node, and from MVSY's point of view MVSX is a remote node. See also local node , target node . Resource Access Control Facility (RACF) . A n IBM-licensed product that provides for access control by identifying and verifying users to the system, authorizing[...]

  • Page 95

    sysplex communication . An optional RACF function that allows the system to use XCF services and communicate with other systems that are also enabled for sysplex communication. system authorization facility (SAF) . An MVS component that provides a central point of control for security decisions. It either processes requests directly or works with R[...]

  • Page 96

    OpenEdition MVS, a string that is used to identify a user. user profile . A description of a RACF-defined user that includes the user ID, user name, default group name, password, profile owner, user attributes, and other information. A user profile can include information for subsystems such as TSO and DFP. See TSO segment and DFP segment . V verif[...]

  • Page 97

    Index A ADDUSER command 15 administration classroom courses xv administration considerations migration 2 Airline Control System/MVS, support for 11 ALCS/MVS support ALCSAUTH class 13 ALCS/MVS, support for 11 ALCSAUTH class 11, 13 ALTUSER command 15 application development considerations DCE support 51 migration 3 year 2000 support 51 audit function[...]

  • Page 98

    DCE support (continued) auditing considerations 47 command changes 15 controlling access to R_dceruid callable service 42 DCEUUIDS class 13 deleting RACF user IDs 42 description 6 effect on exits 35, 36 general user considerations 55 KEYSMSTR class 14 new audit function codes 16 new record type for database unload utility 22 new segment for user te[...]

  • Page 99

    J JCICSJCT class 14, 53 JCL for renaming workspace data sets 30 K KCICSJCT class 14, 53 KEYSMSTR class 14 L library, RACF publications changes to 19 LSQA storage requirement 32 M macros changes to 17 ICHEINTY 17 RACROUTE REQUEST=DEFINE 17 main system 9 messages changes to 17 migration recommended strategy migration considerations administration 2 a[...]

  • Page 100

    PLPA storage requirement 32 programming interfaces changes to CDT 13 data areas 16 new routines 19 templates 21 publications changes to RACF library 19 on CD-ROM xiv softcopy xiv R R_dceruid callable service 42 RACDBULD member of SYS1.SAMPLIB 20 RACDBUTB member of SYS1.SAMPLIB 20 RACF classroom courses xv publications on CD-ROM xiv softcopy xiv RAC[...]

  • Page 101

    SMF data unload utility auditing considerations 47 changes to 22 SMF records changes to 45 OpenEdition DCE support 46 OpenEdition services 45 SOMDOBJS class 14 SOMobjects for MVS, support for administration considerations 42 CBIND class 13 description 8 SERVER class 14 SOMDOBJS class 14 SQA storage requirement 32 storage for RACF virtual 32 storage[...]

  • Page 102

    78 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

  • Page 103

    IBM  Let's face it, you have to search through a ton of hardcopy manuals to locate all of the information you need to secure your entire system. There are manuals for OS/390, VM, CICS, TSO/E; technical bulletins from the International Technical Support Organization (“red books”), Washington Systems Center (“orange books”); multiple [...]

  • Page 104

    [...]

  • Page 105

    [...]

  • Page 106

    Communicating Your Comments to IBM OS/390 Security Server (RACF) Planning: Installation and Migration Publication No. GC28-1920-01 If you especially like or dislike anything about this book, please use one of the methods listed below to send your comments to IBM. Whichever method you choose, make sure you send your name, address, and telephone numb[...]

  • Page 107

    Reader's Comments — We'd Like to Hear from You OS/390 Security Server (RACF) Planning: Installation and Migration Publication No. GC28-1920-01 You may use this form to communicate your comments about this publication, its organization, or subject matter, with the understanding that IBM may use or distribute whatever information you supp[...]

  • Page 108

    Cut or Fold Along Line Cut or Fold Along Line Reader's Comments — We'd Like to Hear from You GC28-1920-01 IBM  Fold and Tape Please do not staple Fold and Tape NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO. 40 ARMONK, NEW YORK POSTAGE WILL BE PAID BY ADDRESSEE IBM Corporation Depar[...]

  • Page 109

    [...]

  • Page 110

    IBM  Program Number: 5645-001 Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber. Drop in Back Cover Image Here. GC28-192-1[...]