z/OS Security Server RACF System Programmer's Guide
Previous topic |
Next topic
|
Contents
|
Contact z/OS
|
Library
|
PDF
Contents (exploded view)
z/OS Security Server RACF System Programmer's Guide
SA23-2287-00
Abstract for Security Server RACF System Programmer's Guide
z/OS Version 2 Release 1 summary of changes
Security and the RACF database
Data processing security
How RACF meets security needs
Identifying and verifying users
Authorizing users to access resources
Controlling access to resources
Logging and reporting
Administering security
Basic RACF concepts
RACF and the operating system
The RACF database
Database templates
Keeping all copies of your database templates at the same level
Steps for synchronizing the database templates when you install a new release of RACF, or a PTF that includes new templates and requires an IPL, and you have not yet re-IPLed
Steps for synchronizing the database templates when you install a new release of RACF, or a PTF that includes new templates and requires an IPL, and you have re-IPLed without running IRRMIN00
Steps for synchronizing the database templates when you install a PTF that has new templates and does not require an IPL
Multiple data set support
Backup RACF database
Taking additional backup measures
Shared RACF databases
General considerations
Considerations when sharing between z/OS and z/VM systems
Considerations for the RACGLIST class
Considerations for classes that do not allow generic profile processing
Considerations for dynamic classes
Considerations for static classes
RACF sysplex communication
Sharing RACF data without sharing a database
Creating a RACF database
Finding a location for the RACF database
Copying your database
Procedure for the primary database
Procedure for the backup database
Using DFSMSdss DEFRAG
DFSMS enhanced data integrity (EDI)
Monitoring the usable space in your RACF database
Performance considerations
The RACF database
Selection of control unit and device
Shared RACF database
RACF remote sharing facility
RACF sysplex data sharing
Multiple data sets
RACF sysplex data sharing
RACF remote sharing facility
Database housekeeping
Creating backup RACF databases
Options for updating backup databases
Resident data blocks
RVARY SWITCH command
Auditing
Operands requiring the AUDITOR attribute
APPLAUDIT
AUDIT
CMDVIOL
LOGOPTIONS
OPERAUDIT
SAUDIT
SECLABELAUDIT
SECLEVELAUDIT
RACF commands
RACF utility programs
BLKUPD
IRRUT200
Failsoft processing
Erase-on-scratch
Installation-written exit routines
Using global access checking
The SETROPTS command
Using SETROPTS RACLIST and SETROPTS GENLIST
RACLIST processing
RACROUTE considerations when using SETROPTS RACLIST
Refreshing SETROPTS RACLIST processing
Shared system considerations
GENLIST processing
Refreshing in-storage generic profiles
SETROPTS REFRESH processing on shared systems
Using SETROPTS INITSTATS and SETROPTS STATISTICS
INITSTATS processing
STATISTICS processing
Recommendations on using STATISTICS
Identification, verification, and authorization of user IDs
User identification and verification
RACROUTE REQUEST=VERIFY or VERIFYX processing
RACROUTE REQUEST=SIGNON processing
Improving verification performance using VLF
RACROUTE REQUEST=AUTH processing
RACROUTE REQUEST=FASTAUTH processing
Program signing and signature verification
Using generic profiles
Customizing the number of lists of generic profiles that RACF maintains
Mapping UIDs to user IDs and GIDs to group names
z/OS UNIX System Services applications
Large profiles
Large groups
Universal groups
RACF customization
Specifying RACF database options
The data set name table
Table format
A 44-byte data set name (primary)
A 44-byte data set name (backup)
A 1-byte resident data-block count field
A 1-byte flag field
RACF sysplex communication
Effects of not using a data set name table
Emergency data set name tables
Sysplex considerations
Selecting the number of resident data blocks
Shared RACF database
Non-shared RACF database
Data set name table examples
Example 1—using a split database
Example 2—Using RACF sysplex data sharing
Example 3—Using RACF sysplex communication
The database range table
Table format
Internal profile naming for general resource classes
Internal profile naming for alias index entries
Database range table example
Specifying resource-class options
The class descriptor table (CDT)
Adding installation-defined classes to the static class descriptor table
Changing an installation-defined class in the static class descriptor table
Deleting an installation-defined class from the static class descriptor table
The RACF router table
Adding an entry to the RACF router table
ENF signals
Type 62 ENF signals
Type 71 ENF signals
Type 79 ENF signals
Password authentication options
The RACF DES algorithm
How the RACF DES algorithm works
The two-step method of password authentication
Using the DES algorithm without the two-step method of checking
Using the masking algorithm
Using your own authentication algorithm
PassTicket authentication
How RACF processes the password or PassTicket
Changing the RACF report writer options (ICHRSMFI module)
Customizing the RACF remote sharing facility
Operating considerations
Enabling and disabling RACF
Enabling RACF
Disabling RACF
Dynamic parse and IRRDPI00
Syntax of the IRRDPI00 command
IRRDPI00 errors and return codes
RACF authorization of the IRRDPI00 command
TSO/E authorization of the IRRDPI00 command
Automating IRRDPI00
Running IRRDPI00 from the RACF parameter library
Running IRRDPI00 from a started procedure
ACEEs and VLF considerations
Dependencies
Operation
Removing information from VLF
Shared database considerations
VLF considerations for mapping UIDs and GIDs
Dependencies
VLF considerations for caching user security packets (USPs)
Dependencies
VLF considerations for program signature verification
Dependencies
The RACF subsystem
Activating the RACF subsystem
Updating the IEFSSNxx member of SYS1.PARMLIB
Assigning a user ID to the RACF subsystem
Additional setup for the RACF subsystem user ID
The RACF PROC
Restarting the RACF subsystem
Restarting a function in the RACF subsystem
Examples
Restarting a function after applying maintenance
Restarting a function to recover from failures
Stopping the RACF subsystem address space
Diagnosing problems in the RACF subsystem
RACF operator commands
Group tree in storage
Shared database considerations
Using the global resource serialization function
RACF ENQ resources
Sysplex considerations
Sharing a database
Sharing a database with sysplex communication in non–data sharing mode
Sharing between sysplex members and systems outside the sysplex
Sharing a database with sysplex communication in data sharing mode
Guarding against data corruption resulting from incorrect database sharing
Guarding against data corruption resulting from incorrect database sharing at IPL time
Guarding against data corruption resulting from incorrect database sharing when changing the status of a RACF database
Sysplex communication
Non-data sharing mode
Data sharing mode
Using the coupling facility with a single MVS image
Read-only mode
Failsoft mode
Enabling sysplex communication
Inactive backup data sets
Defining RACF structures for the coupling facility
Structure names
Structure size
Minimum Structure Size
Maximum structure size
Initial Size
Optimum size
REBUILDPERCENT
Reconfiguring RACF structures
System authorization facility (SAF)
The SAF router
The SAF callable services router
Associating started procedures and jobs with user IDs
Methods for associating started procedures with RACF identities
The STARTED class
The started procedures table (ICHRIN03)
Coding the started procedures module
Generic entry in ICHRIN03
Example 1
Example 2
Example 3
Example 4 (Error in Table)
Example 5
The ICHAUTAB module
Failsoft processing
General considerations
Impact on users
CICS considerations
CICS timeout value
TXSeries
DFSMS considerations
TSO considerations
ISPF considerations
DB2 considerations
DASD data sets
Using utilities on RACF-protected DASD data sets
Using utilities with the OPERATIONS or group-OPERATIONS attribute
Renaming RACF-protected data sets
Using IEHMOVE with the ADSP attribute
Using IEHMOVE with the COPYAUTH parameter
Using the DFSMSdss and DSF utilities
Moving a RACF-indicated DASD data set between systems
Moving a RACF-indicated data set to a RACF-active system
Moving a data set with a discrete profile to a RACF-inactive system
Moving a RACF-indicated data set to a non-RACF system with RACF indicator checking
Moving a multivolume RACF-indicated data set between systems
Using access method services commands
LISTCAT command
REPRO/RESETCAT/IMPORT/IMPORTRA commands
DASD volumes
Scratching DASD data sets
Moving DASD volumes between systems
UCBs above 16MB
Protecting tape data
Tape data protection and bypass label processing (BLP)
Considerations for unlabeled (NL) tapes
Using utilities on RACF-protected tape volumes and tape data sets
Moving tape volumes between systems
Moving multivolume tape data sets between systems
Multiple users per address space
Restarting jobs
Panel driver interface
REXX RACVAR function
Installing the REXX RACVAR function
Using the REXX RACVAR function
Initializing RACF verification of signed programs (IRRVERLD)
IRRVERLD return codes
RACF remote sharing facility (RRSF)
Overview of the RACF remote sharing facility (RRSF)
Understanding the RRSF concepts
RRSF nodes and the RRSF network
The RRSFDATA class
User ID associations
Overview of the RRSF function
The RRSF network
RRSF nodes
Local and remote RRSF nodes
Single-system nodes and multisystem nodes
Local and remote modes of operation
Connections between nodes
Operative connections
Dormant connections
Connection states
Network protocols
Using TCP/IP in an RRSF network
Using APPC/MVS and VTAM in an RRSF network
Using mixed protocols
Encryption and masking of data
Masking of data
Encryption of data
Workspace data sets
Naming conventions for the workspace data sets
Workspace data sets for a local node
Workspace data sets for a remote node using APPC
Workspace data sets for a remote node using TCP/IP
Examples of workspace data set names
Defining the workspace data sets
Size guidelines for the workspace data sets
Maintaining the workspace data sets
Determining how full the workspace data sets are
Increasing the size of the workspace data sets
Deleting the workspace data sets
How a directed command travels through the network
Defining an RRSF environment
Preparing to configure an RRSF network
System prerequisites
RACF template version considerations
RACF dynamic parse version considerations
SETROPTS options considerations
Password rules
Mixed case passwords
Class descriptor table considerations
Synchronizing database profiles
Installation exit considerations
Considerations for installation-provided code
RACF subsystem address space considerations
Setting up your system to use APPC/MVS and VTAM
Protecting the ACBNAME used for RRSF
Controlling access to LUs on the local system
Controlling access to LUs from remote systems
APPC TP profiles
Providing security for server access to specific LU or TP names
Controlling access to the transaction program profiles
Controlling database token maintenance
Setting up your system to use TCP/IP
Protecting the RRSF listener port
Setting up AT-TLS
Stack initialization protection
Stack access control
Allowing the subsystem address space to use z/OS UNIX socket APIs
Configuring an RRSF network
The SET command
Listing information about RRSF functions on the local node
Tracing APPC, IMAGE, and RRSF events
Activating and deactivating RRSF functions
Specifying a parameter library member to process
Specifying a JES node to return output to
Defining RRSF nodes to RACF
Listing the attributes of target nodes
Sample output for single-system nodes
Sample output for multisystem nodes that use APPC/MVS
Sample output for multisystem nodes that use TCP/IP
Sample output for local nodes that use IPv6
Controlling outgoing requests from the local node
Controlling incoming requests from remote nodes
Purging a workspace data set
Deleting a node
Reconfiguring a multisystem node
Adding a system to a multisystem node
Deleting a system from a multisystem node
Configuring a new main system in a multisystem node
Changing the protocol for a connection
Steps for changing the protocol for a connection
Changing the protocol for the entire network
The RACF parameter library
Security considerations for the RACF parameter library
Configuring RRSF without using the RACF parameter library
Attributes of the RACF parameter library
Parameter library member names
Commands that can be issued from the RACF parameter library
Commands that span multiple lines
Blank lines and comments in the RACF parameter library
Automatically processing a parameter library member during initialization
If you do not want a parameter library member processed automatically
Using the SET INCLUDE function
Sharing a RACF parameter library on a multisystem node
Order of commands in a RACF parameter library
Recovering from RACF parameter library errors
Customizing and establishing security for RRSF
Customizing a remote sharing environment
Establishing security for your remote sharing environment
RRSF considerations for JES security
Examples of defining a remote sharing environment
Configuring nodes in local mode
Configuring a two-node network that uses APPC/MVS
Configuring a two-node network that uses TCP/IP
Configuring a multisystem node
Steps for configuring a multisystem node
Configuring two multisystem nodes
Monitoring your remote sharing environment
RACF database utilities
RACF internal reorganization of aliases utility program (IRRIRA00)
IRRIRA00 stage conversion
Diagnostic capability
Input for IRRIRA00
IRRIRA00 example
Output from IRRIRA00
RACF database initialization utility program (IRRMIN00)
Running IRRMIN00 when PARM=NEW is specified
Running IRRMIN00 when PARM=UPDATE is specified
Running IRRMIN00 when PARM=ACTIVATE is specified
Diagnostic capability
Input for IRRMIN00
Output from IRRMIN00
RACF cross reference utility program (IRRUT100)
Group name and user ID occurrences that IRRUT100 lists
Exit routine
Diagnostic capability
The work data set
Using IRRUT100
Input for IRRUT100
Job control statements
IRRUT100 example
Output from IRRUT100
RACF database verification utility program (IRRUT200)
Copying a data set in the RACF database
Diagnostic capability
Monitoring the capacity of the RACF database
Processing considerations for databases from other systems
Using IRRUT200
Input and output for IRRUT200
Control
Job control statements
IRRUT200 examples
Utility control statements
Scanning the index blocks
Unformatted printout
Formatted printout
BAM/allocation comparison
IRRUT200 return codes
RACF database split/merge/extend utility program (IRRUT400)
How IRRUT400 works
Using IRRUT400 to extend a database
Copying a RACF database
Repairing a RACF database
Diagnostic capability
Executing IRRUT400
Specifying the input database
Specifying the output database
Selecting the output data set
Processing the output data sets
Specifying parameters
Processing of conflicts and inconsistencies
IRRUT400 return codes
IRRUT400 examples
Example 1. Copying a database
Example 2. Splitting a database
Example 3. Merging data sets
Example 4. Copying to a larger database
Example 5. Unlocking a database
Example 6. Copying using a two-stage option
Utilities documented in other documents
RACF database unload utility program (IRRDBU00)
RACF remove ID utility (IRRRID00)
RACF SMF data unload utility program (IRRADU00)
BLKUPD command
Data security monitor (DSMON)
RACF report writer (RACFRW)
RRSF VSAM file browser (IRRBRW00)
RACFICE reporting tool
RACF installation exits
Overview
RACF exits report
Extended addressing for exits
Data set naming convention table
Exits running in the RACF subsystem address space
Possible uses of RACF exits
Summary of installation-exit callers
ACEE compression/expansion exits
Range tables
Range table example
IRRACX01
Installing the exit routine
Exit recovery
Exit routine environment
Exit routine processing
Compression-time invocation of IRRACX01
Expansion-time invocation of IRRACX01
Programming considerations
Entry specifications
Registers at entry
Parameter descriptions
Return specifications
Registers at exit
Coded example of the exit routine
IRRACX02
Installing the exit routine
Exit recovery
Exit routine environment
Exit routine processing
Compression-time invocation of IRRACX02
Expansion-time invocation of IRRACX02
Programming considerations
Entry specifications
Registers at entry
Parameter descriptions
Return specifications
Registers at exit
Coded example of the exit routine
Command exits for specific commands
ICHCNX00 processing
Return codes from the command-preprocessing exit ICHCNX00
ICHCCX00 processing
Return codes from the command-preprocessing exit ICHCCX00
Common command exit
Controlling the exit routine through the dynamic exits facility
Replacing the exit routine
Exit routine environment
Exit recovery
Exit routine processing
Information passed in the parameter list
The preprocessing call
The postprocessing call
Programming considerations
Entry specifications
Registers at entry
Parameter descriptions
Return specifications
Registers at exit
Coded example of the exit routine
New-password exit
ICHPWX01 processing
Return codes from the new-password exit
Using the exit for password quality control
Coded example of the exit routine
New-password-phrase exit (ICHPWX11)
Installing the exit routine
Exit routine environment
Exit routine processing
Programming considerations
Entry specifications
Registers at entry
Parameter list contents
Return specifications
Registers at exit
Coded example of the exit routine
Password authentication exits
ICHDEX01
Installing the exit routine
Exit recovery
Exit routine environment
Exit routine processing
Programming considerations
Entry specifications
Registers at entry
Parameter descriptions
Return specifications
Registers at exit
Coded example of the exit routine
ICHDEX11
Installing the exit routine
Exit recovery
Exit routine environment
Exit routine processing
Programming considerations
Entry specifications
Registers at entry
Parameter descriptions
Return specifications
Registers at exit
Coded example of the exit routine
RACROUTE REQUEST=AUTH exits
Extended addressing
Preprocessing exit (ICHRCX01)
Return codes from the RACROUTE REQUEST=AUTH preprocessing exit
Postprocessing exit (ICHRCX02)
Return codes from the RACROUTE REQUEST=AUTH postprocessing exit
Possible uses of the exits
Allowing access when RACF is inactive
Protecting the user's resources from the user
Controlling access of shared user IDs
RACROUTE REQUEST=DEFINE exits
Extended addressing
Automatic direction of application updates
Preprocessing exit (ICHRDX01)
Return codes from the RACROUTE REQUEST=DEFINE preprocessing exit
Postprocessing exit (ICHRDX02)
Return codes from the RACROUTE REQUEST=DEFINE postprocessing exit
RACROUTE REQUEST=FASTAUTH exits
Preprocessing exits (ICHRFX01 and ICHRFX03)
ICHRFX01
Return codes from the ICHRFX01 preprocessing exit
ICHRFX03
Return codes from the ICHRFX03 preprocessing exit
Postprocessing exits (ICHRFX02 and ICHRFX04)
ICHRFX02
Return codes from the ICHRFX02 postprocessing exit
ICHRFX04
Return codes from the ICHRFX04 postprocessing exit
Possible uses of the exits
Controlling access of shared user IDs
RACROUTE REQUEST=LIST exits
Pre- and postprocessing exit (ICHRLX01)
Return codes from ICHRLX01
Selection exit (ICHRLX02)
Return codes from the RACROUTE REQUEST=LIST selection exit
RACROUTE REQUEST=VERIFY(X) exits
Preprocessing exit (ICHRIX01)
Return codes from the RACROUTE REQUEST=VERIFY(X) preprocessing exit
Postprocessing exit (ICHRIX02)
Return codes from the RACROUTE REQUEST=VERIFY(X) postprocessing exit
RACF report-writer exit
ICHRSMFE processing
Return codes from the RACF report-writer exit (ICHRSMFE)
Custom Field Validation Exit (IRRVAF01)
Controlling the exit routine through the dynamic exits facility
Replacing the exit routine
Exit routine environment
Exit recovery
Exit routine processing
Information passed in the parameter list
Programming considerations
Entry specifications
Registers at entry
Parameter descriptions
Return specifications
Registers at exit
Coded example of the exit routine
SAF router exits
Recovery procedures
Overview
Exit routine considerations
TSO considerations
The RVARY command
Shared database considerations
RVARY password considerations
Quiescing database I/O activity
RVARY SWITCH
RVARY ACTIVE or INACTIVE
Without a backup database
With a backup database
Synchronization considerations
Restoration of the RACF database
Restoration of a single data set in the database
Other recovery considerations
Considerations for issuing RVARY from the RACFRCVY started procedure
Failures on the RACF database
Sample recovery procedures
The primary database is in error, the backup database is unaffected
The backup database is in error, the primary database is unaffected
The primary database is in error, there is no backup database
Both the primary and the backup databases are in error
Failures using sysplex data sharing
Read-only mode
Non–data sharing mode
Recovery scenarios
Coupling facility not available
Structure not defined in policy
Structure too small
Link failure
RACF structure failure
RACF support of the rebuild interface
Sysplex recovery scenarios that require XCF-local mode
Sysplex recovery scenarios requiring a member to be brought up with sysplex communication mode and data sharing mode inactive
Failures during RACF command processing
Commands that do not modify user-created RACF profiles
Commands that have recovery routines
Commands that perform single operations
Commands that perform multiple operations
Recovering from errors in identity mapping profiles
Missing identity mapping profile
User ID associated with an identity mapping profile does not exist
Profile mismatch
Recovering from errors with application identity mapping
Mapping profile exists
Missing alias index entry
User or group associated with an alias index entry does not exist
Profile and alias index mismatch
Commands that are propagated for RACF sysplex communication
Failures when propagating RVARY commands
Failures when propagating SETROPTS commands
Failures during RACF manager processing
Failures during system operations on RACF-protected data sets
Failures during SCRATCH or DELETE
Failures during ALLOCATE or DEFINE
Failures during RENAME or ALTER
Failures during EOV (non-VSAM)
Failures in the RACF subsystem address space
Recovering from RACF parameter library problems
Recovering when a task stops
Recycling an RRSF connection
Recovering from VSAM errors on the RRSF workspace data sets
Viewing the workspace data sets
Recovering when the workspace data sets fill up
The last resort—shutting down the RACF subsystem address space
Storage estimates
RACF database storage requirements
Factors affecting the size of the RACF database
Formula for the RACF database size
Calculating the number of blocks required for the profiles
Calculating the number of index blocks required
Calculating the number of blocks required for the alias index
Calculating the number of BAM blocks
RACF virtual storage requirements
Coupling facility cache structure storage requirements
RRSF initialization worksheet and scenario
RRSF node configuration worksheet
RRSF initialization scenario
Background information
Completed RRSF node configuration worksheet for node MVS01
Completed RRSF node configuration worksheet for node MVS02
Summary
Detailed instructions
Now it's your turn to fill out the worksheet
Non-recommended options
Selecting options with ICHSECOP
Bypassing RACF initialization processing
Selecting the number of resident data blocks
Disallowing duplicate names for data set profiles
Changing the ICHAUTAB module
Using the RACF authorized-caller table
Format of the authorized-caller table
Copyright IBM Corporation 1990, 2014
z/OS Security Server RACF System Programmer's Guide
z/OS Security Server RACF System Programmer's Guide
Copyright IBM Corporation 1990, 2014
