IBM OS/390 инструкция обслуживания

OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-03[...]

[...]

OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-03[...]

Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page vii. Fourth Edition, September 1997 This is a major revision of GC28-1920-02. This edition applies to Version 2 Release 4 of OS/390 (5647-A01) and to all subsequent releases and modifications until otherwise indicated [...]

Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix About This Book .................................... x i Who Should Use This Book ............................... x i How to Use This Book ..............[...]

SYS1.SAMPLIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Publications Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Chapter 4. Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . 21 Migration Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

Figures 1. New Callable Services ............................. 1 1 2. Changed Callable Services ........................... 1 2 3. New Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4. Changes to RACF Commands ......................... 1 3 5. Changes to PSPI Data Areas ......................... 1 6 6. Changed Execu[...]

vi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Notices References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program, or service may be used. A functionally equivalent pr[...]

viii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Trademarks The following terms are trademarks of the IBM Corporation in the United States or other countries or both:  AIX/6000  BookManager  CICS  CICS/ESA  DB2  DFSMS  FFST  FFST/MVS  IBM  IBMLink  IMS  Library Reader  MVS/ESA  MVS/XA  NetView  OpenEdition  OS/2  OS/390  Parallel Sysplex ?[...]

x OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

About This Book This book contains information about the Resource Access Control Facility (RACF), which is part of the OS/390 Security Server. The Security Server has two components:  RACF  OpenEdition DCE Security Server For information about the OpenEdition DCE Security Server, see the publications related to that component. This book provi[...]

 Chapter 6, “Customization Considerations” on page 29, highlights information about customizing function to take advantage of new support after the new release of RACF is installed.  Chapter 7, “Administration Considerations” on page 31, summarizes changes to administration procedures for the new release of RACF.  Chapter 8, “Aud[...]

RACF Courses The following RACF classroom courses are also available:  Effective RACF Administration, H3927  MVS/ESA RACF Security Topics, H3918  Implementing RACF Security for CICS/ESA, H3992 IBM provides a variety of educational offerings for RACF. For more information on classroom courses and other offerings, see your IBM representative[...]

Other Sources of Information IBM provides customer-accessible discussion areas where RACF may be discussed by customer and IBM participants. Other information is available through the Internet. IBM Discussion Areas Two discussion areas provided by IBM are the MVSRACF discussion and the SECURITY discussion.  MVSRACF MVSRACF is available to custom[...]

You can get sample code, internally-developed tools, and exits to help you use RACF. All this code works in our environment, at the time we make it available, but is not officially supported. Each tool or sample has a README file that describes the tool or sample and any restrictions on its use. The simplest way to reach this code is through the RA[...]

xvi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Summary of Changes | Summary of Changes | for GC28-1920-03 | OS/390 Version 2 Release 4 | This book contains primarily new information for OS/390 Version 2 Release 4 | Security Server (RACF). When any information appeared in an earlier release, the | information that is new is indicated by a vertical line to the left of the change. Summary of Chang[...]

xviii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 1. Planning for Migration This chapter provides information to help you plan your installation's migration to the new release of OS/390 Security Server (RACF). Before attempting to migrate, you should define a plan to ensure a smooth and orderly transition. A well thought-out and documented migration plan can help minimize any interrup[...]

Installation Considerations Before installing a new release of RACF, you must determine what updates are needed for IBM-supplied products, system libraries, and non-IBM products. (Procedures for installing RACF are described in the program directory shipped with OS/390, not in this book.) Be sure you include the following steps when planning your p[...]

Auditing Considerations Auditors who are responsible for ensuring proper access control and accountability for their installation are interested in changes to security options, audit records, and report generation utilities. For more information, see Chapter 8, “Auditing Considerations” on page 33. Application Development Considerations Applica[...]

4 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 2. Release Overview This chapter lists the new and enhanced functions of RACF for OS/390 Release 4 and gives a brief overview of each new function or function enhancement. New and Enhanced Support For OS/390 Release 4, RACF provides:  Support for the RACF/DB2 external security module  Additional auditing of OpenEdition superusers stat[...]

Enhancements to Support for OpenEdition Services Enhancements to RACF's support for OpenEdition services include:  Extended ability to audit the use of superuser status  Default USER/GROUP support provided by APAR OW26800 Extended Ability to Audit the Use of Superuser Status This support allows the auditing of the new OpenEdition spawn s[...]

The getUMAP and getGMAP services also look for default values. If getUMAP is given a UID as input and the corresponding USER profile has no OMVS segment, the caller of the getUMAP service receives the default. If no default value is found, RACF return code 8, reason code 4 are returned by the getUMAP service. If a UID is passed to getUMAP, then it [...]

 The ALTUSER command allows an administrator to reset a user's password to a temporary password or a default value. This command is modified to save the old password whenever the password is reset.  The PASSWORD USER ( userid ) command provides users and administrators with a password reset function. This command is modified to save the [...]

system. This support provides a solution to many customers that find themselves in such a situation. The PERMIT command has a new keyword to add users and groups to the conditional access list, WHEN(SYSID(...)). This keyword is allowed only for the PROGRAM class. WHEN(SYSID(...)) is similar to the existing keywords WHEN(TERMINAL(...)), WHEN(PROGRAM[...]

Enable/Disable Changes OS/390 Version 2 Release 4 has a new product ID that affects the enable/disable function in all of its elements including the Security Server. The ID() value used in the IFAPRDxx parmlib member needs to be "5647-A01". The remainder of the parameters remain the same. Without this necessary change to the ID() paramete[...]

Chapter 3. Summary of Changes to RACF Components for OS/390 Release 4 This chapter summarizes the new and changed components of OS/390 Release 4 Security Server (RACF). It includes the following summary charts for changes to the RACF:  Callable Services  Class descriptor table (CDT)  Commands  Data Areas  Exits  Macros  Message[...]

Figure 2. Changed Callable Services Callable Service Name Description Support initUSP  If no OMVS segment is found in the user's profile, the initUSP service checks the BPX.DEFAULT.USER profile in the FACILITY class. This profile may contain a user ID in its application data field that provides a default OMVS segment. If this default is fou[...]

Figure 3. New Classes Name Description Support DSNADM DB2 administrative authority class DB2 GDSNBP Grouping class for buffer pool privileges DB2 GDSNCL Grouping class for collection privileges DB2 GDSNDB Grouping class for database privileges DB2 GDSNPK Grouping class for package privileges DB2 GDSNPN Grouping class for plan privileges DB2 GDSNSG [...]

Figure 4 (Page 2 of 3). Changes to RACF Commands Command Description Support ALTUSER This command supports the removal of all of the user's CLAUTH authorities by using NOCLAUTH(*). For more information on the ALTUSER NOCLAUTH keywords, see OS/390 Security Server (RACF) Command Language Reference . TME 10 PERMIT The PERMIT command allows the ke[...]

Figure 4 (Page 3 of 3). Changes to RACF Commands Command Description Support TARGET The new keyword WDSQUAL is added to the RACF TARGET command to indicate that the variable that follows will be used by RRSF as the middle qualifier for the work space data set names of the INMSG and OUTMSG queues for the local RRSF node defined by the TARGET command[...]

Figure 5. Changes to PSPI Data Areas Data Area Description Support AFC This data area maps the contents for the Open Edition MVS security audit function codes. An audit function code has been added to audit when ck_priv is called from OpenEdition_spawn (BPX1SPN). Auditability of super user requests. COMP This data area maps the common SAF/RACF para[...]

RFXALET and RFXLOGS correspond to new fields in the RACROUTE REQUEST=FASTAUTH parameter list. These fields only exist in parameter lists created with RELEASE=2.4 or higher. Therefore, these fields must only be accessed when the RFXPVERS indicates Release 2.4 or higher. Macros Figure 6 lists changes to executable macros for OS/390 Release 4. These a[...]

RALTER Command Messages: ICH11304I SETROPTS Command Messages: ICH14042I RACF Manager Error Messages: ICH51011I RACF Processing Messages: IRR410I RACF Utility Messages: IRR67032I, IRR67034I, IRR67124I, IRR67153I, IRR67183I RRSF Enveloping Messages: IRRV002I, IRRV005I, IRRV013I, IRRV014I RACF Operational Modes and Coupling Facility Messages: IRRX013A[...]

Figure 7. New Panels for RACF Panel Description Support ICHP241n This panel enables you to add an entry for the conditional access list and to identify the access authority for it. Program control by system ID ICHP242n This panel enables you to remove an entry from the conditional access list and to identify the access list from which conditions ar[...]

Publications Library Figure 10 lists changes to the OS/390 Security Server (RACF) publications library. Note: You are able to print the softcopy documentation, either in its entirety or simply portions of it. Figure 10. Changes to the RACF Publications Library Publication Change OS/390 Security Server (RACF) Callable Services This publication is av[...]

Chapter 4. Planning Considerations This chapter describes the following high-level planning considerations for customers upgrading to OS/390 Release 4 Security Server (RACF) from OS/390 Release 3 Security Server (RACF):  Migration strategy  Migration paths  Hardware requirements  Compatibility Migration Strategy The recommended steps fo[...]

– OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 1.(GC28-1920-00) If you have RACF 1.9.2 installed, in addition to this book, you should read: – OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 2, (GC28-1920-01) and Release 3 (GC28-1920-02) – OS/390 Security Server (R[...]

Compatibility This section describes considerations for compatibility between OS/390 Release 4 Security Server (RACF) and OS/390 Release 3 Security Server (RACF). OpenEdition MVS If you are an OpenEdition MVS user, be sure to review carefully the following information on possible changes. For Auditability of Superusers If you are not already auditi[...]

24 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 5. Installation Considerations This chapter describes the following changes of interest to the system programmer installing OS/390 Release 4 Security Server (RACF):  Virtual storage considerations  Templates RACF Storage Considerations This section discusses storage considerations for RACF. Using the RACF DB2 external security module [...]

Figure 11 (Page 2 of 3). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size ESQA RACF data sharing control area 300 (when enabled for sysplex communication) Class descriptor table (CNSX) (number_of_IBM-defined_classes × 28) + (number_of_IBM-defined_entries_in_router_table × 30) + (number_of_customer_defined_classes × 58) + 2[...]

Figure 11 (Page 3 of 3). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size ECSA RACF data set descriptor table and extension 168 + (896 × number_of_RACF_primary_data_sets) RACF ICB (non-shared DB) 4096 per RACF database if the database is not shared and is not on a device marked as shared, 0 otherwise | RACF program control t[...]

28 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 6. Customization Considerations This chapter identifies customization considerations for OS/390 Release 4 Security Server (RACF). For additional information, see OS/390 Security Server (RACF) System Programmer's Guide . Customer Additions to the Router Table and the CDT Installations must verify that classes they have added to the rout[...]

 Set the options in the RACF/DB2 external security module. To do this, see OS/390 Security Server (RACF) System Programmer's Guide .  Decide which DB2 objects are to be protected using RACF. Define the appropriate profiles. To do this, see OS/390 Security Server (RACF) Security Administrator's Guide .  Activate the RACF/DB2 exter[...]

Chapter 7. Administration Considerations This chapter summarizes the changes to administration procedures that the security administrator should be aware of. For more information, see OS/390 Security Server (RACF) Security Administrator's Guide . The TMEADMIN Class The new TMEADMIN class is used to associate a TME administrator with a RACF MVS[...]

Enhancements of Global Access Checking When you use RACROUTE REQUEST=AUTH processing (which utilizes global access checking) for general resource classes, these classes can be processed whether or not the class is RACLISTed using SETROPTS RACLIST or RACROUTE REQUEST=LIST. 32 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 8. Auditing Considerations This section summarizes the changes to auditing procedures for SMF records. SMF Records Figure 12 summarizes changes to SMF records created by RACF for OS/390 Release 4. These changes are general-use programming interfaces (GUPI). For more information on SMF records, see OS/390 Security Server (RACF) Macros and In[...]

34 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 9. Application Development Considerations Application development is the process of planning, designing, and coding application programs that invoke RACF functions. This section highlights new support that might affect application development procedures:  Programming interfaces  RELEASE=2.4 keyword on macros  Changes to RACROUTE RE[...]

36 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Chapter 10. General User Considerations RACF general users use RACF to:  Log on to the system  Access resources on the system  Protect their own resources and any group resources to which they have administrative authority For more information on the output general users might receive, see OS/390 Security Server (RACF) General User's [...]

38 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Glossary A access . The ability to obtain the use of a protected resource. access authority . An authority related to a request for a type of access to protected resources. In RACF, the access authorities are NONE, EXECUTE, READ, UPDATE, CONTROL, and ALTER. accessor environment element (ACEE) . A description of the current user, including user ID, [...]

DATASET classes. The table is generated by executing the ICHERCDE macro once for each class. The class descriptor table contains both the IBM provided classes and also the installation defined classes. CLAUTH . See class authority . command direction . A RRSF function that allows a user to issue a command from one user ID and direct that command to[...]

E entity . A user, group, or resource (for example, a DASD data set) that is defined to RACF. EXTRACT request . The issuing of the RACROUTE macro with REQUEST=EXTRACT specified. An EXTRACT request retrieves or replaces certain specified fields from a RACF profile or encodes certain clear-text (readable) data. The EXTRACT request replaces the RACXTR[...]

L LIST request . The issuing of the RACROUTE macro with REQUEST=LIST specified. A LIST request builds in-storage profiles for RACF-defined resources. The LIST request replaces the RACLIST function. local logical unit (LU) . Local LUs are LUs defined to the MVS system; partner LUs are defined to remote systems. It is a matter of point of view. From [...]

posit . A number specified for each class in the class descriptor table that identifies a set of flags that control RACF processing options. See the keyword description for posit in OS/390 Security Server (RACF) Macros and Interfaces . process . (1) A function being performed or waiting to be performed. (2) An executing function, or one waiting to [...]

set that is RACF-protected by a discrete profile must also be RACF-indicated. RACROUTE macro . An assembler macro that provides a means of calling RACF to provide security functions. See also AUDIT request, AUTH request, DEFINE request, DIRAUTH request, EXTRACT request, FASTAUTH request, LIST request, SIGNON request, STAT request, TOKENBLD request,[...]

supervisor . The part of a control program that coordinates the use of resources and maintains the flow of processing unit operations. Synonym for supervisory routine . supervisory routine . A routine, usually part of an operating system, that controls the execution of other routines and regulates the flow of work in a data processing system. Synon[...]

security program for the system. The batch job owner is specified on the USER parameter on the JOB statement or inherited from the submitter of the job. This user ID identifies a RACF user profile.  OMVS user ID: A numeric value between 0 and 2147483647, called a UID (or sometimes a user number), that identifies a user to OpenEdition services. T[...]

How to Get Your RACF CD Let's face it, you have to search through a ton of hardcopy manuals to locate all of the information you need to secure your entire system. There are manuals for OS/390, VM, CICS, TSO/E; technical bulletins from the International Technical Support Organization (“red books”), Washington Systems Center (“orange book[...]

48 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration[...]

Index A access list entry conditional 23 standard 23 ACEEALET keyword 16 ADDUSER command 15 administration classroom courses xiii administration considerations migration 2 ALTUSER command 7, 13, 14, 15 application development considerations migration 3 auditing 23 auditing considerations changed SMF records 33 migration 3 superuser status 6 C calla[...]

getGMAP callable service 6, 12 getUMAP callable service 6, 12 global access checking 10 H hardware requirements planning considerations 22 HRF2240 9 I ICHEACTN macro, changes to 17 ICHEINTY macro, changes to 17 ICHETEST macro, changes to 17 initUSP callable service 6, 12 installation considerations 25 templates 27 installation exits 1 See also exit[...]

R R_Admin callable service 8, 11 RACF classroom courses xiii publications on CD-ROM xii softcopy xii RACF 1.9 migration path from 22 RACF 1.9.2 migration path from 22 RACF 2.1 migration path from 22 RACF 2.2 migration path from 21 RACF administration classroom courses xiii RACF panels changed 19 RACF releases prior to 1.9 migration path from 22 RAC[...]

[...]

Readers' Comments — We'd Like to Hear from You OS/390 Security Server (RACF) Planning: Installation and Migration Publication No. GC28-1920-03 Overall, how satisfied are you with the information in this book? How satisfied are you that the information in this book is: Please tell us how we can improve this book: Thank you for your respo[...]

Cut or Fold Along Line Cut or Fold Along Line Readers' Comments — We'd Like to Hear from You GC28-1920-03 IBM  Fold and Tape Please do not staple Fold and Tape NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO. 40 ARMONK, NEW YORK POSTAGE WILL BE PAID BY ADDRESSEE IBM Corporation Depar[...]

[...]

IBM  Program Number: 5647-A01 Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber. GC28-192ð-ð3[...]