 |
The RACF® utilities are used
for maintaining, modifying, copying, unloading, and monitoring the RACF database.
Note: - If you are sharing a database between z/OS® and z/VM®,
run the utilities from the z/OS side
for ease of recovery and error reporting.
- If you are sharing a database, the templates must match the latest
level of code on the sharing systems. Run the IRRMIN00 utility for
the latest release to update the database templates. Because the
database structure changed for z/OS V1R8
to allow database templates that are larger than one 4K block, the
database templates for z/OS V1R8,
and higher, are not downwardly compatible unless you install APAR
OA12443 on the lower-level system. The APAR is available for z/OS V1R4, V1R5, V1R6, and V1R7.
An APAR is not required for z/VM systems.
For example, if z/OS V1R8 and z/OS V1R6 systems are sharing a
database, the templates must be at the z/OS V1R8
level, but the z/OS V1R6 system
can successfully use the database if it has APAR OA12443 installed.
For additional considerations when RRSF is used, see Shared RACF databases.
- Run z/OS Security Server
(RACF) utilities only on a z/OS Security Server (RACF) system. Do not use RACF utilities with an earlier release of RACF, and do not run utilities
from an earlier release of RACF on
your system. The exceptions to this are IRRMIN00 and IRRUT100, which
can be run on a lower-level system.
- In general, if you are sharing a RACF database between systems at different levels,
you can run any of the utilities, except IRRMIN00 and IRRUT400, from
any of the sharing systems. For example, if a z/OS V1R5 system is sharing a database with
a z/OS V1R6 system, you can
run the IRRUT200 utility from either the V1R5 system or the V1R6 system.
To get the most functionality, though, run the utility from the latest
level system sharing the database. For IRRMIN00 and IRRUT400, always
run the latest level of the utility. You can run IRRMIN00 on either
the latest level system sharing the database, or on an earlier system
using JCL that includes a STEPLIB to an APF-authorized library that
contains the latest version of the utility. Run IRRUT400 on the latest
level system sharing the database. For restrictions involving the
IRRIRA00 utility, see RACF internal reorganization of aliases utility program (IRRIRA00).
Rules: If
you are sharing a RACF database
between a system running z/OS V1R8
(or higher) and a z/OS V1R4
system, you must follow these rules: - Do not run the following utilities from the z/OS V1R4 system:
- IRRMIN00
- IRRUT200
- IRRUT400
- IRRUT300 (BLKUPD)
- IRRDBU00
- IRRIRA00
- Always run IRRUT400 from the highest level system.
- Run IRRMIN00 either from the highest level system, or from a lower
level system using JCL that includes a STEPLIB to an APF-authorized
library that contains the z/OS V1R8
(or higher) version of IRRMIN00.
- Run the other utilities from either a system running z/OS V1R8 (or higher) or run them from a z/OS V1R5, V1R6, or V1R7 system
with APAR OA12443 installed.
- A RACF database must not
reside in the extended addressing area of DASD volumes. If a RACF database is allocated in the
extended addressing area, RACF and
its related utilities may not work correctly. To ensure that RACF databases are not allocated
in the extended addressing area, the following DD statements for the
following RACF utilities must
not contain the keyword parameter EATTR unless its value is NO (EATTR=NO):
- the SYSRACF DD statement for the IRRMIN00 utility
- the SYSUT1 DD statement for the IRRUT200 utility
- the OUTDD DD statement for the IRRUT400 utility
|
z/OS Security Server RACF System Programmer's Guide
Copyright IBM Corporation 1990, 2014