IBM Server GC28-1920-01 Manual do Utilizador

OS/390Place graphic in thisarea. Outline iskeyline only. DO NOT PRINT.IBM Security Server (RACF)Planning: Installation and Migration GC28-1920-

viii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

PLPAstorage requirement 32programming interfaceschanges to CDT 13data areas 16new routines 19templates 21publicationschanges to RACF library 19on

SMF data unload utilityauditing considerations 47changes to 22SMF recordschanges to 45OpenEdition DCE support 46OpenEdition services 45SOMDOBJS cla

78 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

IBM Let's face it, you have to search through a ton ofhardcopy manuals to locate all of the information youneed to secure your entire system.

Communicating Your Comments to IBMOS/390Security Server (RACF)Planning: Installation and MigrationPublication No. GC28-1920-01If you especially like o

Reader's Comments — We'd Like to Hear from YouOS/390Security Server (RACF)Planning: Installation and MigrationPublication No. GC28-1920-01Y

Cut or FoldAlong LineCut or FoldAlong LineReader's Comments — We'd Like to Hear from YouGC28-1920-01IBMFold and Tape Please do not staple F

Figures1. Function Shipped In OS/390 Release 1 Security Server (RACF) ... 52. Function Introduced After the Availability of OS/390 Release 1 Se

IBMProgram Number: 5645-001Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.Drop in Back CoverIma

x OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

NoticesReferences in this publication to IBM products, programs, or services do not implythat IBM intends to make these available in all countries

TrademarksThe following terms are trademarks of the IBM Corporation in the United States orother countries or both:  AS/400  BookManager  C

About This BookThis book contains information about the Resource Access Control Facility (RACF),which is part of the OS/390 Security Server. The Se

 Chapter 7, “Administration Considerations” on page 37, summarizes changesto administration procedures for the new release of RACF. Chapter 8, “

RACF CoursesThe following RACF classroom courses are also available:Effective RACF Administration, H3927MVS/ESA RACF Security Topics, H3918Impl

Other Sources of InformationIBM provides customer-accessible discussion areas where RACF may bediscussed by customer and IBM participants. Other i

You can get sample code, internally-developed tools, and exits to help you useRACF. All this code works1, but is not officially supported. Each too

Elements and Features in OS/390You can use the following table to see the relationship of a product you are familiar with and how it isreferred to

Product Name and Level Name in OS/390 Base orOptional OpenEdition Application Services  OpenEdition Application Services base OpenEdition DCE Ba

xx OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Summary of ChangesSummary of Changesfor GC28-1920-01OS/390 Release 2This book contains new information for OS/390 Release 2 Security Server (RACF).

xxii OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Chapter 1. Planning for MigrationThis chapter provides information to help you plan your installation's migration tothe new release of RACF. B

Installation ConsiderationsBefore installing a new release of RACF, you must determine what updates areneeded for IBM-supplied products, system l

Auditing ConsiderationsAuditors who are responsible for ensuring proper access control and accountabilityfor their installation are interested in

4 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Chapter 2. Release OverviewThis chapter lists the new and enhanced features of RACF for OS/390 Release 2.It also lists the support that has not be

OS/390 IBMSecurity Server (RACF)Planning: Installation and Migration GC28-1920-01

Figure 2 on page 6 identifies function introduced after the availability of OS/390Release 1 Security Server (RACF).Figure 3 identifies function in

OS/390 OpenEdition DCE single signon support uses to sign in an authenticatedOS/390 user to DCE.The RACF support for OS/390 OpenEdition DCE include

OS/390 OpenEditionOS/390 Release 2 OpenEdition adds new capabilities for which RACF providessupport.Authorizing and Auditing Server Access to the

so that the user's information can be customized independently of the user'sworkstation type.The SystemView Launch window lets users log

 Output and notifications from commands that were directed via the AT orONLYAT keywords. These are returned to the system on which the directedco

the IRRDCR00 module to allow customers to convert a 3-byte packed decimal dateto a 4-byte packed decimal date, using RACF's interpretation of

The PTF must be applied to all systems in the sysplex in order for theseenhancements to take effect. However, systems with and without the PTF app

Chapter 3. Summary of Changes to RACF Components forOS/390 Release 2This chapter summarizes the new and changed components of OS/390 Release 2Secur

Figure 7 lists classes for which there are changes.Figure 6 (Page 2 of 2). New ClassesClass Name Description SupportFILE This class controls

Figure 8. Changes to RACF CommandsCommand Description Supportall If an attempt is made to invoke a RACF commandwhen RACF is not enabled, RACF iss

Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page xi.Second Editio

Data AreasFigure 9 lists changed general-use programming interface (GUPI) data areas forSAF to support RACF for OS/390 Release 2.Figure 10 lists

Figure 11. Changed Exits for RACFExit Description SupportICHRCX01ICHRCX02For unauthenticated client ACEEs, the RACROUTEREQUEST=AUTH preprocessing

New MessagesThe following messages are added:RACF Initialization Messages: ICH562IRACF Processing Messages: IRR418IDynamic Parse (IRRDPI00 Comman

PanelsFigure 13 lists RACF panels that are changed.Figure 13. Changed Panels for RACFPanel Description SupportICHP41IICHP42IExisting panels for

SYS1.SAMPLIBFigure 16 identifies changes to RACF members of SYS1.SAMPLIB.Figure 16. Changes to SYS1.SAMPLIBMember Description SupportIRRADULD T

Figure 17. Changes to TemplatesTemplate Description of Change SupportGeneral A new SVFMR segment provides the followinginformation:Field Descrip

Figure 18. Changes to UtilitiesUtility Description of Change SupportIRRADU00 The SMF data unload utility has been updated tosupport unloading da

Chapter 4. Planning ConsiderationsThis chapter describes the following high-level planning considerations forcustomers upgrading to Security Serve

RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT or TYPE=REPLACEbefore installing OS/390 Release 2 Security Server (RACF). In addition to thisbook you should

Figure 19. Software Requirements for New FunctionFunction Software RequirementsOS/390 OpenEdition DCE interoperabilitysupportOpenEdition/MVS Rele

iii

26 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Chapter 5. Installation ConsiderationsThis chapter describes changes of interest to the system programmer installingOS/390 Release 2 Security Serv

prefixIs a value you specify with the PREFIX keyword on theTARGET commandsysnameIs the system name. This name must match the value in theCVTSNAME

the description of the TARGET command in OS/390 Security Server (RACF)Command Language Reference for details.If any of the INMSG or OUTMSG workspac

////// //// RRSFALTR: //// //// IDCAMS JOB to rename the workspace data

//RRSFALTR JOB 'JOB TO RENAME WORKSPACE DATA SETS',MSGLEVEL=1,1//// USE A JOBCAT OR STEPCAT WHERE NEEDED TO POINT TO THE CATALOG// THA

RACF Storage ConsiderationsThis section discusses storage considerations for RACF. Virtual StorageFigure 21 estimates RACF virtual storage usage,

Figure 21 (Page 2 of 2). RACF Estimated Storage UsageStorage Subpool Usage How to Estimate SizeELSQA Connect group table 64 + (48 × number_of

Templates for RACF on OS/390 Release 2The RACF database must have templates at the Security Server (RACF) Release 2level in order for RACF to func

Chapter 6. Customization ConsiderationsThis chapter identifies customization considerations for RACF.For additional information, see OS/390 Securi

iv OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

– The first check uses the client ACEE. This is the ACEE that is associatedwith the current task. If the request is successful, the second check i

Chapter 7. Administration ConsiderationsThis chapter summarizes the changes to administration procedures that the securityadministrator should be

database. The mvsexpt utility takes a specified input file or the DCEregistry for each principal specified and creates the RACF DCE segmentand pro

 The MVS user must have saved the current DCE password in the RACF DCEsegment by invoking the DCE storepw command.Note: Users still need to maint

OpenEdition Planning, and in OS/390 OpenEdition Programming: AssemblerCallable Services Reference. The C language support for thepthread_security_

Changes to RACF Authorization ProcessingExtensions have been introduced to RACF's processing of authorization requests inwhich both the RACF i

resources. Profiles must reside in storage before RACROUTEREQUEST=FASTAUTH can be used to verify a user's access to a resource. The client/s

SystemView for MVSBefore an installation can use SystemView for MVS, the security administratormust: Create profiles in the SYSMVIEW class for Sys

44 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Chapter 8. Auditing ConsiderationsThis section summarizes the changes to auditing procedures for the RACF:  SMF records Report writer utility

ContentsNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiTrademarks . . . . . . . . . . . . . . . .

For more information on SMF records, see OS/390 Security Server (RACF) Macrosand Interfaces.Figure 23 (Page 2 of 2). Changes to SMF RecordsR

Auditing OS/390 OpenEdition DCE SupportRACF provides one new audit function code (94) to audit OS/390 OpenEdition DCEsupport.Auditing SystemView fo

48 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Chapter 9. Operational ConsiderationsThis section summarizes the changes to operating procedures for RACF forOS/390 Release 2.Enhancements to the

50 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Chapter 10. Application Development ConsiderationsApplication development is the process of planning, designing, and codingapplication programs tha

The security administrator has the option of enforcing the use of both theapplication server's RACF identity and the RACF identity of the cli

For more information on the convert_id_np (BPX1CID) callable service, see OS/390OpenEdition Programming: Assembler Callable Services Reference. The

 “Macros” on page 17 “Templates” on page 20 “Utilities” on page 21 “Routines” on page 1954 OS/390 V1R2.0 Security Server (RACF) Planning: Inst

Chapter 11. General User ConsiderationsRACF general users use RACF to: Log on to the system Access resources on the system Protect their own res

Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Panels . . . . . . . . . . . . . . . . . . . . . . .

56 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Chapter 12. NJE ConsiderationsSeveral APARs shipped on OS/390 Release 2 Security Server (RACF) haveimplications for NJE. APAR OW14451OS/390 Releas

Actions RequiredWith OW08457 and OW14451, group propagation and group translation has beenfixed for NODES profiles, both for batch jobs and for S

List all GROUPJ and GROUPS NODES profiles that have a UACC value greaterthan or equal to READ, recording the profile names and all keywords necessa

60 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Chapter 13. ScenariosThis chapter contains scenarios that might help you in planning your migration toSecurity Server (RACF) Release 2.Migrating a

2. Issue TARGET DORMANT commands from the operator's console to make allRRSF conversations dormant:prefixTARGET NODE(MIAMI1) DORMANTprefixTAR

5. Issue a TARGET command from the operator's console to define systemSYSTEM1 as the MAIN system for the multisystem node. (Issuing thiscomman

On MIAMI2: 1. Issue a TARGET command from the operator's console to define theconnection with ORLANDO.prefixTARGET NODE(ORLANDO) OPERATIVEPR

GlossaryAaccess. The ability to obtain the use of a protectedresource.access authority. An authority related to a request fora type of access to

Chapter 9. Operational Considerations . . . . . . . . . . . . . . . . . . . . . 49Enhancements to the RESTART Command ... 49Enab

user ID on the same or a different RRSF node. Beforea command can be directed from one user ID toanother, a user ID association must be defined be

FFASTAUTH request. The issuing of the RACROUTEmacro with REQUEST=FASTAUTH specified. Theprimary function of a FASTAUTH request is to check auser&a

is the local LU, and the LU through whichcommunication is received is the partner LU.local node. The RRSF node from whose point of viewyou are ta

 Daemon processes, which do systemwide functionsin user mode, such as printer spooling Kernel processes, which do systemwide functions inkernel m

RRSF nodes that are logically connected, from MVSX'spoint of view MVSY is a remote node, and from MVSY'spoint of view MVSX is a remote n

sysplex communication. An optional RACF functionthat allows the system to use XCF services andcommunicate with other systems that are also enabled

OpenEdition MVS, a string that is used to identify auser.user profile. A description of a RACF-defined userthat includes the user ID, user name,

IndexAADDUSER command 15administrationclassroom courses xvadministration considerationsmigration 2Airline Control System/MVS, support for 11ALCS/

DCE support (continued)auditing considerations 47command changes 15controlling access to R_dceruid callable service 42DCEUUIDS class 13deleting RA

JJCICSJCT class 14, 53JCL for renaming workspace data sets 30KKCICSJCT class 14, 53KEYSMSTR class 14Llibrary, RACF publicationschanges to 19LSQAsto