IBM GC28-1920-01 manual

OS/390 Place graphic in this area. Outline is keyline only. DO NOT PRINT. IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-01[...]

[...]

OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-01[...]

Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page xi. Second Edition, September 1996 This is a major revision of GC28-1920-00. This edition applies to Version 1 Release 2 of OS/390 (5645-001) and to all subsequent releases and modifications until otherwise indicated i[...]

iii[...]

iv OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii About This Book ................................... xiii Who Should Use This Book .............................. xiii How to Use This Book ..............[...]

Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Publications Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Routines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

Chapter 9. Operational Considerations . . . . . . . . . . . . . . . . . . . . . 49 Enhancements to the RESTART Command .................... 4 9 Enabling and Disabling RACF ............................ 4 9 Chapter 10. Application Development Considerations ............ 5 1 Year 2000 Support ................................... 5 1 OS/390 OpenEdition [...]

viii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Figures 1. Function Shipped In OS/390 Release 1 Security Server (RACF) ...... 5 2. Function Introduced After the Availability of OS/390 Release 1 Security Server (RACF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Function Introduced In OS/390 Release 2 Security Server (RACF) ..... 6 4. Function Not Shipped In OS/390 R[...]

x OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Notices References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program or service may be used. A functionally equivalent pro[...]

Trademarks The following terms are trademarks of the IBM Corporation in the United States or other countries or both:  AS/400  BookManager  CICS  CICS/ESA  DB2  DFSMS  DFSMS/MVS  IBM  IBMLink  IMS  Library Reader  MVS  MVS/ESA  MVS/XA  NetView  OpenEdition  OS/2  OS/390  Parallel Sysplex  [...]

About This Book This book contains information about the Resource Access Control Facility (RACF), which is part of the OS/390 Security Server. The Security Server has two components:  RACF  OpenEdition DCE Security Server For information about the OpenEdition DCE Security Server, see the publications related to that component. This book provi[...]

 Chapter 7, “Administration Considerations” on page 37, summarizes changes to administration procedures for the new release of RACF.  Chapter 8, “Auditing Considerations” on page 45, summarizes changes to auditing procedures for the new release of RACF.  Chapter 9, “Operational Considerations” on page 49, summarizes changes to [...]

RACF Courses The following RACF classroom courses are also available:  Effective RACF Administration, H3927  MVS/ESA RACF Security Topics, H3918  Implementing RACF Security for CICS/ESA, H3992 IBM provides a variety of educational offerings for RACF. For more information on classroom courses and other offerings, see your IBM representative[...]

Other Sources of Information IBM provides customer-accessible discussion areas where RACF may be discussed by customer and IBM participants. Other information is available through the Internet. IBM Discussion Areas Two discussion areas provided by IBM are the MVSRACF discussion and the SECURITY discussion.  MVSRACF MVSRACF is available to custom[...]

You can get sample code, internally-developed tools, and exits to help you use RACF. All this code works 1 , but is not officially supported. Each tool or sample has a README file that describes the tool or sample and any restrictions on its use. The simplest way to reach this code is through the RACF home page. From the home page, click on System/[...]

Elements and Features in OS/390 You can use the following table to see the relationship of a product you are familiar with and how it is referred to in OS/390 Release 2. OS/390 Release 2 is made up of elements and features that contain function at or beyond the release level of the products listed in the following table. The table gives the name an[...]

Product Name and Level Name in OS/390 Base or Optional  OpenEdition Application Services  OpenEdition Application Services base  OpenEdition DCE Base Services (OSF DCE level 1.1)  OpenEdition DCE Base Services base  OpenEdition DCE Distributed File Service (DFS) (OSF DCE level 1.1)  OpenEdition DCE Distributed File Service (DFS) b[...]

xx OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Summary of Changes Summary of Changes for GC28-1920-01 OS/390 Release 2 This book contains new information for OS/390 Release 2 Security Server (RACF). Summary of Changes for GC28-1920-00 OS/390 Release 1 This book contains information previously presented in RACF Planning: Installation and Migration , GC23-3736, which supports RACF Version 2 Relea[...]

xxii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 1. Planning for Migration This chapter provides information to help you plan your installation's migration to the new release of RACF. Before attempting to migrate, you should define a plan to ensure a smooth and orderly transition. A well thought-out and documented migration plan can help minimize any interruption of service. Your mig[...]

Installation Considerations Before installing a new release of RACF, you must determine what updates are needed for IBM-supplied products, system libraries, and non-IBM products. (Procedures for installing RACF are described in the program directory shipped with the product, not in this book.) Be sure you include the following steps when planning y[...]

Auditing Considerations Auditors who are responsible for ensuring proper access control and accountability for their installation are interested in changes to security options, audit records, and report generation utilities. For more information, see Chapter 8, “Auditing Considerations” on page 45. Operational Considerations The installation of[...]

4 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 2. Release Overview This chapter lists the new and enhanced features of RACF for OS/390 Release 2. It also lists the support that has not been updated in the new release. New and Enhanced Support For OS/390 Release 2, RACF provides new and enhanced support for:  OS/390 OpenEdition DCE  OS/390 OpenEdition MVS  SOMobjects for MVS, Ve[...]

Figure 2 on page 6 identifies function introduced after the availability of OS/390 Release 1 Security Server (RACF). Figure 3 identifies function introduced in OS/390 Release 2 Security Server (RACF). Figure 4 identifies function not shipped in OS/390 Release 2 Security Server (RACF), but available via PTF. Figure 2. Function Introduced After the A[...]

OS/390 OpenEdition DCE single signon support uses to sign in an authenticated OS/390 user to DCE. The RACF support for OS/390 OpenEdition DCE includes:  The DCE segment, which contains DCE information associated with a RACF user  The KEYSMSTR class, which holds a key to encrypt the DCE password  The DCEUUIDS class, which is used to define [...]

OS/390 OpenEdition OS/390 Release 2 OpenEdition adds new capabilities for which RACF provides support. Authorizing and Auditing Server Access to the CCS and WLM Services OS/390 Release 2 OpenEdition adds the capability to check whether servers are authorized to use the console communications service (CCS) and the workload manager (WLM) service. RAC[...]

so that the user's information can be customized independently of the user's workstation type. The SystemView Launch window lets users log on once, authenticating with their RACF password, and then get access to applications that SystemView for MVS supports by selecting an application from their customized task tree, without needing to sp[...]

 Output and notifications from commands that were directed via the AT or ONLYAT keywords. These are returned to the system on which the directed command was issued.  Notifications from RACLINK commands. These are returned to the system on which the RACLINK command was issued.  Output from password changes when automatic password direction [...]

the IRRDCR00 module to allow customers to convert a 3-byte packed decimal date to a 4-byte packed decimal date, using RACF's interpretation of the yy value. For more information on IRRDCR00, see “Year 2000 Support” on page 51. NetView RACF has added the NGMFVSPN field to the NETVIEW segment of the RACF user profile for future use by the Ne[...]

The PTF must be applied to all systems in the sysplex in order for these enhancements to take effect. However, systems with and without the PTF applied can coexist in the sysplex, and there is no requirement to IPL all systems in the sysplex when the PTF is applied. Note: PTF UW90293 is not shipped with OS/390 Release 2 Security Server (RACF). You [...]

Chapter 3. Summary of Changes to RACF Components for OS/390 Release 2 This chapter summarizes the new and changed components of OS/390 Release 2 Security Server (RACF). It includes summary charts for changes to the RACF:  Class descriptor table (CDT)  Commands  Data Areas  Exits  Macros  Messages  Panels  Publications Librar[...]

Figure 7 lists classes for which there are changes. Figure 6 (Page 2 of 2). New Classes Class Name Description Support FILE This class controls protection of shared file system (SFS) files on VM. RACF 1.10 for VM KEYSMSTR This class holds a key to encrypt DCE passwords stored in the RACF database. The profile in this class is named: DCE.PASSWORD.KE[...]

Figure 8. Changes to RACF Commands Command Description Support all If an attempt is made to invoke a RACF command when RACF is not enabled, RACF issues message IRR418I, and the command is not processed. OS/390 Enable/Disable ADDUSER ALTUSER These commands accept the new NGMFVSPN subkeyword on the NETVIEW keyword for future use by the NetView Graphi[...]

Data Areas Figure 9 lists changed general-use programming interface (GUPI) data areas for SAF to support RACF for OS/390 Release 2. Figure 10 lists changed product-sensitive programming interface (PSPI) data areas for for RACF. Figure 9. Changes to SAF GUPI Data Areas Data Area Description Support ACEE This data area has been enhanced to identify a[...]

Figure 11. Changed Exits for RACF Exit Description Support ICHRCX01 ICHRCX02 For unauthenticated client ACEEs, the RACROUTE REQUEST=AUTH preprocessing and postprocessing exits are invoked for both the client ACEE and the server ACEE. For more information, see “Effects of OS/390 OpenEdition DCE Support on ICHRCX01, ICHRCX02, and IRRSXT00” on pag[...]

New Messages The following messages are added: RACF Initialization Messages: ICH562I RACF Processing Messages: IRR418I Dynamic Parse (IRRDPI00 Command) Messages: IRR52152I RACF Database Split/Merge Utility (IRRUT400) Messages: IRR65038I Messages Issued by the RACF Subsystem: IRRB022I, IRRB077I, IRRB078I, IRRB079I, IRRB080I, IRRB081I, IRRB082I RRSF [...]

Panels Figure 13 lists RACF panels that are changed. Figure 13. Changed Panels for RACF Panel Description Support ICHP41I ICHP42I Existing panels for user administration of the NETVIEW segment have been updated to allow a user to add, change, or delete the NGMFVSPN field. NetView Publications Library Figure 14 lists changes to the OS/390 Security S[...]

SYS1.SAMPLIB Figure 16 identifies changes to RACF members of SYS1.SAMPLIB. Figure 16. Changes to SYS1.SAMPLIB Member Description Support IRRADULD This member has been updated with the SMF type 80 record for the new event code 65. OS/390 OpenEdition IRRADULD This member has been updated to support RACF 1.10 for VM audit records. RACF 1.10 for VM IRR[...]

Figure 17. Changes to Templates Template Description of Change Support General A new SVFMR segment provides the following information: Field Description SCRIPTN Script name PARMN Parameter list name SystemView for MVS Group A new OVM segment provides OpenEdition for VM information associated with a group. The segment provides the following informat[...]

Figure 18. Changes to Utilities Utility Description of Change Support IRRADU00 The SMF data unload utility has been updated to support unloading data from audit records created on a system running RACF 1.10 for VM. This support allows RACF 1.10 for VM audit records to be processed by OS/390 Security Server (RACF). RACF 1.10 for VM IRRDBU00 The RACF[...]

Chapter 4. Planning Considerations This chapter describes the following high-level planning considerations for customers upgrading to Security Server (RACF) Release 2 from Security Server (RACF) Release 1:  Migration strategy  Migration paths  Hardware requirements  Software requirements  Compatibility Migration Strategy The recommen[...]

RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT or TYPE=REPLACE before installing OS/390 Release 2 Security Server (RACF). In addition to this book you should read: – OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 1, – RACF Planning: Installation and Migration for RACF 2.1, and – RACF Migration and Planning for RA[...]

Figure 19. Software Requirements for New Function Function Software Requirements OS/390 OpenEdition DCE interoperability support OpenEdition/MVS Release 3 plus APAR OW15865 (PTF UW23684) C Run Time Library plus APAR PN75309 (PTF UN90158) SOMobjects for MVS support Version 1 Release 2 of SOMobjects for MVS Compatibility This section describes consid[...]

26 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 5. Installation Considerations This chapter describes changes of interest to the system programmer installing OS/390 Release 2 Security Server (RACF):  Enabling RACF  Considerations for RRSF networks  Virtual storage considerations  Customer additions to the CDT  Templates Enabling RACF When you install OS/390 Release 2, make[...]

prefix Is a value you specify with the PREFIX keyword on the TARGET command sysname Is the system name. This name must match the value in the CVTSNAME field for the system it identifies. ds_identity Is either INMSG or OUTMSG The naming convention for the workspace data sets for remote connections is now: prefix.local_luname.remote_luname.ds_identit[...]

the description of the TARGET command in OS/390 Security Server (RACF) Command Language Reference for details. If any of the INMSG or OUTMSG workspace data sets are not empty, you should rename them to follow the new naming convention. For an example of JCL to perform this task, see Figure 20 on page 30. 6. Restart the RACF subsystem address space [...]

//// // // // RRSFALTR: // // // // IDCAMS JOB to rename the workspace data sets when installing // // PTF UW9235 (multisy[...]

//RRSFALTR JOB 'JOB TO RENAME WORKSPACE DATA SETS',MSGLEVEL=1,1 // // USE A JOBCAT OR STEPCAT WHERE NEEDED TO POINT TO THE CATALOG // THAT CONTAINS THE INFORMATION NEEDED FOR YOUR DATA SETS. // //STEP1 EXEC PGM=IDCAMS // THE WORKSPACE DATA SETS THAT REFER TO THE LOCAL SYSTEM SHOULD // BE CHANGED AS FOLLOWS: //SYSPRINT DD[...]

RACF Storage Considerations This section discusses storage considerations for RACF. Virtual Storage Figure 21 estimates RACF virtual storage usage, for planning purposes. Figure 21 (Page 1 of 2). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size FLPA RACF service routines, if IMS or CICS is using RACF for authorization checkin[...]

Figure 21 (Page 2 of 2). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size ELSQA Connect group table 64 + (48 × number_of_groups_connected) In-storage generic profiles 160 + number_of_generic_profiles × (14 + average_profile_size + average_profile_name_length) RACF storage tracking table 3500 RACROUTE REQUEST=LIST profiles N[...]

Templates for RACF on OS/390 Release 2 The RACF database must have templates at the Security Server (RACF) Release 2 level in order for RACF to function properly. If a Security Server (RACF) Release 2 system is sharing the database with a lower-level system (RACF 1.9, RACF 1.9.2, RACF 1.10, RACF 2.1, RACF 2.2, or Security Server (RACF) Release 1), [...]

Chapter 6. Customization Considerations This chapter identifies customization considerations for RACF. For additional information, see OS/390 Security Server (RACF) System Programmer's Guide . Customer Additions to the CDT Installations must verify that classes they have added to the class descriptor table (CDT) do not conflict with new classe[...]

– The first check uses the client ACEE. This is the ACEE that is associated with the current task. If the request is successful, the second check is performed. – The second check uses the ACEE associated with the server. This is the same ACEE that is associated with the address space. When each of these checks occurs, the RACF exits ICHRCX01 an[...]

Chapter 7. Administration Considerations This chapter summarizes the changes to administration procedures that the security administrator should be aware of. For more information, see OS/390 Security Server (RACF) Security Administrator's Guide . OS/390 OpenEdition DCE The interoperation of RACF with OS/390 OpenEdition DCE enables DCE applicat[...]

database. The mvsexpt utility takes a specified input file or the DCE registry for each principal specified and creates the RACF DCE segment and profiles in the RACF general resource class, DCEUUIDS. For more information on these utilities, see OpenEdition DCE Administration Guide . Although you can administer the DCEUUIDS profiles using the RACF R[...]

 The MVS user must have saved the current DCE password in the RACF DCE segment by invoking the DCE storepw command. Note: Users still need to maintain their passwords for RACF and OpenEdition DCE separately, and must use the DCE storepw to keep the DCE password that is stored in RACF current. Single signon support is not intended to be used by a[...]

OpenEdition Planning , and in OS/390 OpenEdition Programming: Assembler Callable Services Reference . The C language support for the pthread_security_np() function is discussed in OS/390 R2 C/C ++ Run-Time Library Reference . Threads and Security An application that uses the pthread_security_np service can customize the RACF identity of a thread. C[...]

Changes to RACF Authorization Processing Extensions have been introduced to RACF's processing of authorization requests in which both the RACF identity of the server and the RACF identity of a client of the server application are used in a resource access decision. RACF support for OpenEdition DCE introduces new indicators in the ACEE. These i[...]

resources. Profiles must reside in storage before RACROUTE REQUEST=FASTAUTH can be used to verify a user's access to a resource.  The client/server relationship is not propagated from the application server. If the security administrator implements access control to resources that use both the server's RACF identity and the client&apos[...]

SystemView for MVS Before an installation can use SystemView for MVS, the security administrator must:  Create profiles in the SYSMVIEW class for SystemView for MVS applications. The profiles define logon script and parameter information for the applications.  Authorize SystemView for MVS users to access the defined applications via the Syste[...]

44 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 8. Auditing Considerations This section summarizes the changes to auditing procedures for the RACF:  SMF records  Report writer utility  SMF data unload utility The auditor must decide on appropriate global auditing options for the new classes and on which auditing reports are to be produced. See OS/390 Security Server (RACF) Audit[...]

For more information on SMF records, see OS/390 Security Server (RACF) Macros and Interfaces . Figure 23 (Page 2 of 2). Changes to SMF Records Record Type Record Field Description of Change Support 80 Relocate 65 For event code 2, this SMF record contains flags indicating the ACEE type:  Unauthenticated client  Authenticated client  Server[...]

Auditing OS/390 OpenEdition DCE Support RACF provides one new audit function code (94) to audit OS/390 OpenEdition DCE support. Auditing SystemView for MVS Support Depending on the auditing options selecting when using the RACF SMF data unload utility (IRRADU00), customers might see SMF records returned for the new SYSMVIEW class and type 44 reloca[...]

48 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 9. Operational Considerations This section summarizes the changes to operating procedures for RACF for OS/390 Release 2. Enhancements to the RESTART Command The RESTART command has been enhanced. The new SYSNAME keyword allows an operator to restart connections to systems on a multisystem node. See OS/390 Security Server (RACF) Command Lang[...]

50 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 10. Application Development Considerations Application development is the process of planning, designing, and coding application programs that invoke RACF functions. This section highlights new support that might affect application development procedures:  Year 2000 support  OS/390 OpenEdition DCE Application Servers  Changes to th[...]

The security administrator has the option of enforcing the use of both the application server's RACF identity and the RACF identity of the client in resource access control decisions. RACF support for OS/390 OpenEdition DCE introduces new indicators in the ACEE. These indicators mark the ACEE as a client ACEE . Client ACEEs are created by OS/3[...]

For more information on the convert_id_np (BPX1CID) callable service, see OS/390 OpenEdition Programming: Assembler Callable Services Reference . The C language support for the __convert_id_np() is discussed in OS/390 R2 C/C ++ Run-Time Library Reference New Application Authorization Service A DCE application server on OS/390 can use DCE security s[...]

 “Macros” on page 17  “Templates” on page 20  “Utilities” on page 21  “Routines” on page 19 54 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 11. General User Considerations RACF general users use RACF to:  Log on to the system  Access resources on the system  Protect their own resources and any group resources to which they have administrative authority This chapter highlights new support that might affect general user procedures. OS/390 OpenEdition DCE If an installati[...]

56 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 12. NJE Considerations Several APARs shipped on OS/390 Release 2 Security Server (RACF) have implications for NJE. APAR OW14451 OS/390 Release 2 Security Server (RACF) includes a PTF that provides functions that change the way inbound NJE jobs and NJE sysout are handled by RACF. If your installation uses NJE and RACF nodes profiles it is im[...]

Actions Required With OW08457 and OW14451, group propagation and group translation has been fixed for NODES profiles, both for batch jobs and for SYSOUT. This change can significantly alter the external results of your NJE environment and your installation must decide what changes will best suit your needs. Case 1: Nodes defined to &RACLNDE. Fo[...]

List all GROUPJ and GROUPS NODES profiles that have a UACC value greater than or equal to READ, recording the profile names and all keywords necessary to add them back later. Then delete them. These profiles were previously irrelevant but now could result in failing jobs or unowned SYSOUT. Note that GROUPJ and GROUPS NODES profiles with a UACC valu[...]

60 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 13. Scenarios This chapter contains scenarios that might help you in planning your migration to Security Server (RACF) Release 2. Migrating an Existing RRSF Network to Use Multisystem Nodes If an existing RRSF network contains single-system RRSF nodes that share a RACF database, you can reconfigure the single-system RRSF nodes to a multisys[...]

2. Issue TARGET DORMANT commands from the operator's console to make all RRSF conversations dormant: prefix TARGET NODE(MIAMI1) DORMANT prefix TARGET NODE(ORLANDO) DORMANT 3. Issue a TARGET command from the operator's console to make MIAMI1 the main system on the new multisystem node MIAMI1. The old node name is used for the new multisyst[...]

5. Issue a TARGET command from the operator's console to define system SYSTEM1 as the MAIN system for the multisystem node. (Issuing this command allows you to reconfigure the node to make SYSTEM2 the main system at some future time.) prefix TARGET NODE(MIAMI1) SYSNAME(SYSTEM1) LOCAL MAIN OPERATIVE PREFIX(...) PROTOCOL(...) WORKSPACE(...) Add [...]

On MIAMI2: 1. Issue a TARGET command from the operator's console to define the connection with ORLANDO. prefix TARGET NODE(ORLANDO) OPERATIVE PREFIX(...) PROTOCOL(...) WORKSPACE(...) Add this command to the RACF parameter library for SYSTEM2. Note: The TARGET commands for SYSTEM1 and SYSTEM2 are now identical. If you want, you can now use a si[...]

Glossary A access . The ability to obtain the use of a protected resource. access authority . An authority related to a request for a type of access to protected resources. In RACF, the access authorities are NONE, EXECUTE, READ, UPDATE, CONTROL, and ALTER. accessor environment element (ACEE) . A description of the current user, including user ID, [...]

user ID on the same or a different RRSF node. Before a command can be directed from one user ID to another, a user ID association must be defined between them via the RACLINK command. command interpreter . A program that reads the commands that you type in and then executes them. When you are typing commands into the computer, you are actually typi[...]

F FASTAUTH request . The issuing of the RACROUTE macro with REQUEST=FASTAUTH specified. The primary function of a FASTAUTH request is to check a user's authorization to a RACF-protected resource or function. A FASTAUTH request uses only in-storage profiles for faster performance. The FASTAUTH request replaces the FRACHECK function. See also au[...]

is the local LU, and the LU through which communication is received is the partner LU. local node . The RRSF node from whose point of view you are talking. For example, if MVSA and MVSB are two RRSF nodes that are logically connected, from MVSA's point of view MVSA is the local node, and from MVSB's point of view MVSB is the local node. S[...]

 Daemon processes, which do systemwide functions in user mode, such as printer spooling  Kernel processes, which do systemwide functions in kernel mode, such as paging A process can run in an OpenEdition user address space, an OpenEdition forked address space, or an OpenEdition kernel address space. In an MVS system, a process is handled like[...]

RRSF nodes that are logically connected, from MVSX's point of view MVSY is a remote node, and from MVSY's point of view MVSX is a remote node. See also local node , target node . Resource Access Control Facility (RACF) . A n IBM-licensed product that provides for access control by identifying and verifying users to the system, authorizing[...]

sysplex communication . An optional RACF function that allows the system to use XCF services and communicate with other systems that are also enabled for sysplex communication. system authorization facility (SAF) . An MVS component that provides a central point of control for security decisions. It either processes requests directly or works with R[...]

OpenEdition MVS, a string that is used to identify a user. user profile . A description of a RACF-defined user that includes the user ID, user name, default group name, password, profile owner, user attributes, and other information. A user profile can include information for subsystems such as TSO and DFP. See TSO segment and DFP segment . V verif[...]

Index A ADDUSER command 15 administration classroom courses xv administration considerations migration 2 Airline Control System/MVS, support for 11 ALCS/MVS support ALCSAUTH class 13 ALCS/MVS, support for 11 ALCSAUTH class 11, 13 ALTUSER command 15 application development considerations DCE support 51 migration 3 year 2000 support 51 audit function[...]

DCE support (continued) auditing considerations 47 command changes 15 controlling access to R_dceruid callable service 42 DCEUUIDS class 13 deleting RACF user IDs 42 description 6 effect on exits 35, 36 general user considerations 55 KEYSMSTR class 14 new audit function codes 16 new record type for database unload utility 22 new segment for user te[...]

J JCICSJCT class 14, 53 JCL for renaming workspace data sets 30 K KCICSJCT class 14, 53 KEYSMSTR class 14 L library, RACF publications changes to 19 LSQA storage requirement 32 M macros changes to 17 ICHEINTY 17 RACROUTE REQUEST=DEFINE 17 main system 9 messages changes to 17 migration recommended strategy migration considerations administration 2 a[...]

PLPA storage requirement 32 programming interfaces changes to CDT 13 data areas 16 new routines 19 templates 21 publications changes to RACF library 19 on CD-ROM xiv softcopy xiv R R_dceruid callable service 42 RACDBULD member of SYS1.SAMPLIB 20 RACDBUTB member of SYS1.SAMPLIB 20 RACF classroom courses xv publications on CD-ROM xiv softcopy xiv RAC[...]

SMF data unload utility auditing considerations 47 changes to 22 SMF records changes to 45 OpenEdition DCE support 46 OpenEdition services 45 SOMDOBJS class 14 SOMobjects for MVS, support for administration considerations 42 CBIND class 13 description 8 SERVER class 14 SOMDOBJS class 14 SQA storage requirement 32 storage for RACF virtual 32 storage[...]

78 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration[...]

IBM  Let's face it, you have to search through a ton of hardcopy manuals to locate all of the information you need to secure your entire system. There are manuals for OS/390, VM, CICS, TSO/E; technical bulletins from the International Technical Support Organization (“red books”), Washington Systems Center (“orange books”); multiple [...]

[...]

[...]

Communicating Your Comments to IBM OS/390 Security Server (RACF) Planning: Installation and Migration Publication No. GC28-1920-01 If you especially like or dislike anything about this book, please use one of the methods listed below to send your comments to IBM. Whichever method you choose, make sure you send your name, address, and telephone numb[...]

Reader's Comments — We'd Like to Hear from You OS/390 Security Server (RACF) Planning: Installation and Migration Publication No. GC28-1920-01 You may use this form to communicate your comments about this publication, its organization, or subject matter, with the understanding that IBM may use or distribute whatever information you supp[...]

Cut or Fold Along Line Cut or Fold Along Line Reader's Comments — We'd Like to Hear from You GC28-1920-01 IBM  Fold and Tape Please do not staple Fold and Tape NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO. 40 ARMONK, NEW YORK POSTAGE WILL BE PAID BY ADDRESSEE IBM Corporation Depar[...]

[...]

IBM  Program Number: 5645-001 Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber. Drop in Back Cover Image Here. GC28-192-1[...]