Commands

Table 1 lists the new and changed RACF® commands. See z/OS Security Server RACF Command Language Reference for more detailed information.

Table 1. Summary of changed RACF commands
Command name Release Description Reason for change
Multiple commands: ADDUSER, ALTUSER, RDEFINE z/OS® V2R1
  • Commands have been updated to reflect the removal of the BPX.DEFAULT.USER UNIX profile.
  • The removal of RACF support for default OMVS segments.
ALTUSER z/OS V2R1 When NOEXPIRED is specified, the password or password phrase value you supply is subject to certain rules. Those rules include the basic RACF rules for password phrase syntax and any password syntax rules set by the installation through the SETROPTS PASSWORD(RULEn) command. The NOEXPIRED parameter has been clarified for password and password phrase syntax rules.
DELGROUP z/OS V2R1 Has been modified to issue a new ENF signal, ENF 79, for classes that have been defined in the RACF Class Descriptor Table with the SIGNAL=YES option Alert listeners to a possible change in a user’s or group's authorizations to resources.
DELUSER z/OS V2R1 Has been modified to issue a new ENF signal, ENF 79, for classes that have been defined in the RACF Class Descriptor Table with the SIGNAL=YES option Alert listeners to a possible change in a user’s or group's authorizations to resources.
PERMIT z/OS V2R1 Has been modified to issue a new ENF signal, ENF 79, for classes that have been defined in the RACF Class Descriptor Table with the SIGNAL=YES option Alert listeners to a possible change in a user’s or group's authorizations to resources.
RACDCERT z/OS V2R1
  • The Re-adding a certificate sub-function conditions are updated for the RACDCERT ADD function.
  • The ADD function, PKCS #7 and PKCS #12 processing details.
  • The BIND function, TOKEN(token-name) sub-function is updated
  • The CHECKCERT, DELETE, GENCERT, REKEY, ROLLOVER functions are updated. A new LISTCHAIN function is added.
  • Re-adding a certificate sub-function conditions are updated for clarity.
  • The known signature algorithms to RACF are enhanced.
  • TOKEN(token-name) sub-function is enhanced for clarity.
  • Support for reporting certificates in the chain when added and listed.
z/OS V1R13 The following new command options are added:
  • The PKDS operand is added to the ADD and IMPORT functions.
  • The PKDS suboperand of the NISTECC and BPECC operands is added to the GENCERT and REKEY functions.
  • The RSA operand and PKDS suboperand are added to the GENCERT and REKEY functions.
 Hardware keys generated with elliptic curve cryptography (ECC) algorithms
z/OS V1R12
  • The following functions are updated to support certificates generated with elliptic curve cryptography (ECC) algorithms:
    • ADD
    • BIND
    • CHECKCERT
    • GENCERT
    • GENREQ
    • IMPORT
    • LIST
    • REKEY
  • The following functions are updated to support certificates with long distinguished names:
    • ADD
    • ALTER
    • DELETE
    • GENCERT
    • LIST
    • MAP
  • The following functions are updated to support certificate validity periods that extend beyond the year 2041:
    • ADD
    • CHECKCERT
    • GENCERT
    • IMPORT
    • LIST
    • REKEY
  • Keys generated with elliptic curve cryptography (ECC) algorithms
  • Long distinguished names. Also, APAR OA30560.
  • Long certificate validity periods. Also, APAR OA30951.
RACMAP z/OS V1R13 The QUERY function is added. Distributed identity filters
RALTER z/OS V2R1 Has been modified to issue a new ENF signal, ENF 79, for classes that have been defined in the RACF Class Descriptor Table with the SIGNAL=YES option Alert listeners to a possible change in a user’s or group's authorizations to resources.
z/OS V1R13 The CHECKADDRS and NOCHECKADDRS options of the KERB operand are added. Support for Network Authentication Service
z/OS V1R12 The SYMCPACFWRAP suboperand is added to the ICSF operand. Support of ICSF encrypted symmetric keys and CP Assist for Cryptographic Function (CPACF). Also, APAR OA29193.
RDEFINE z/OS V2R1 Has been modified to issue a new ENF signal, ENF 79, for classes that have been defined in the RACF Class Descriptor Table with the SIGNAL=YES option Alert listeners to a possible change in a user’s or group's authorizations to resources.
z/OS V1R13 The CHECKADDRS option of the KERB operand is added. Support for Network Authentication Service
z/OS V1R12 The SYMCPACFWRAP suboperand is added to the ICSF operand. Support of ICSF encrypted symmetric keys and CP Assist for Cryptographic Function (CPACF). Also, APAR OA29193.
RDELETE z/OS V2R1 Has been modified to issue a new ENF signal, ENF 79, for classes that have been defined in the RACF Class Descriptor Table with the SIGNAL=YES option Alert listeners to a possible change in a user’s or group's authorizations to resources.
z/OS V1R12 The NOGENERIC operand is added. Improved RACF serviceability
RLIST z/OS V1R12
  • Support is added for the new SYMCPACFWRAP suboperand of the ICSF operand.
  • Support is added for the new UNUSABLE indicator in the listing of certain discrete profiles.
  • Support of ICSF encrypted symmetric keys and CP Assist for Cryptographic Function (CPACF). Also, APAR OA29193.
  • Improved RACF usability
SEARCH z/OS V1R12 Support is added for the new UNUSABLE indicator in the listing of certain discrete profiles. Improved RACF usability
SET z/OS V1R12
  • The GENERICANCHOR operand and the GENERICANCHOR suboperand of the TRACE operand are added.
  • The CLASS and USERID suboperands of the TRACE operand are added.
  • Generic profile performance
  • Improved RACF serviceability
TARGET z/OS V2R1
  • The TCP Address parameter has been updated.
  • TCP/IP was added as a communication protocol for RACF Remote Sharing Facility (RRSF) in z/OS V1R13, for IPv4. In z/OS V2R1 support is added for IPv6.
z/OS V1R13
  • The following new command options are added:
    • LISTPROTOCOL
    • PROTOCOL(TCP)
  • The several TARGET operands are updated to support the new PROTOCOL(TCP) option.
 TCP/IP support for RACF remote sharing facility (RRSF)
Parent topic: Security Server summary of interface changes