The RACF® subsystem enables
remote RACF administration
and password synchronization, provides an execution environment for
most RACF commands and provides
support for APPC persistent verification. Starting the subsystem is
optional but recommended. It is not necessary for system IPL or most RACF functions, but it is required
for the following functions:
- RACF remote sharing facility
The RACF subsystem is required for
the RACF remote sharing facility to
be operational. For more information see RACF remote sharing facility (RRSF).
- RACF commands as operator
commands
When the RACF subsystem
is active, most RACF commands
can be issued as operator commands. For more information, see RACF operator commands.
- R_admin (IRRSEQ00) callable service
When
the RACF subsystem is active,
it executes commands that are passed to it by R_admin. Applications
that use R_admin require the RACF subsystem
to be active.
- RACF LU6.2 persistent verification
The RACF subsystem provides a centralized
data owner/data server environment for the signed-on lists used by RACF persistent verification. The
lists are managed with the RACROUTE REQUEST=SIGNON macro. RACF also provides an execution
environment for the RACF persistent
verification operator commands, DISPLAY and SIGNOFF.
- Key generation for the Network Authentication Server (IBM® Kerberos)
When a user profile
has a KERB segment containing a Kerberos principal name (KERBNAME
field) and the user sets a non-expired password, a key is generated
and stored in the KERB segment of that user. When the change is because
of an application update (for example, TSO or CICS® logon), the RACF subsystem
generates the key. If the RACF subsystem
is not available, no key generation is performed for the password
change.
- Password and password phrase enveloping
When
the password or password phrase enveloping function is configured,
the RACF subsystem creates
encrypted envelopes for eligible users when their passwords or password
phrases are changed, and controls the retrieval of these envelopes
by authorized applications. For details on the enveloping function,
see z/OS Security Server RACF Security Administrator's Guide.
When
the enveloping function is configured, during RACF subsystem initialization RACF invokes z/OS® UNIX services to initialize itself
as a UNIX process, which requires
the OMVS kernel to be initialized. If the OMVS kernel is not initialized, RACF subsystem initialization waits
for OMVS initialization to complete. As a result, the RACF subsystem address space might initialize
later in the IPL sequence than it would if enveloping was not configured.
When
the enveloping function is configured, an OMVS shutdown can affect
the RACF subsystem. Enveloping
operations wait for OMVS to be restarted. If enough password or password
phrase changes are made while the OMVS kernel is unavailable, the
available tasks in the RACF subsystem
can be exhausted, affecting other RACF address
space functions that would otherwise not be affected by an OMVS shutdown.
An OMVS shutdown should not be performed while work is occurring on
the system. For information about shutting down OMVS, see z/OS UNIX System Services Planning.
- LDAP event notification
When LDAP event notification is configured,
the RACF subsystem contacts
the z/OS LDAP server to create
a change log entry when a RACF user
profile is updated. For more information, see z/OS Security Server RACF Security Administrator's Guide.
Tip: If you activate the RACF subsystem,
perform the following tasks to allow the security administrator and
system operator to address early startup issues because of RACF access failures:
- Define the RACF subsystem
as trusted. (For information about how to do this, see Assigning a user ID to the RACF subsystem.)
- Ensure that the security administrator and the system operator
know the correct command prefix for the RACF subsystem.
(For more information, see Updating the IEFSSNxx member of SYS1.PARMLIB.)
- Ensure that the security administrator has authorization to use
the MVS™ LOGON operator command.
Taking these steps allows the security administrator and system
operator to log on to an MVS console
and repair RACF profiles.
The RACF subsystem address
space is identified as a standard MVS subsystem.
The RACF subsystem provides
the following services:
Only one RACF subsystem
can run at a time. If you define more
than one RACF subsystem with
the same name in IEFSSNxx, only one starts.
It is possible to define two RACF subsystems
with different names, and start the second one after stopping the
first, but this is not recommended. If you choose to do this, you
must specify PARM=INITIAL on the MVS START
command whenever you start a RACF subsystem
that has a different name than the one that was previously running.
The RACF ASID
is not reusable. Do not specify REUSASID=YES on the START command
for the address space.