Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
RACF database initialization utility program (IRRMIN00) z/OS Security Server RACF System Programmer's Guide SA23-2287-00 |
|
This utility initializes a RACF® database,
and updates the database copy and the in-storage copy of the database
templates. You can use it in three ways:
If you have split your database, you must run IRRMIN00 against each data set defined in your data set name table (ICHRDSNT). If you have a backup database, you must also run IRRMIN00 against each data set in the backup database. You can use the SET LIST command to display the level of the templates
that your system is using. The level information consists of a 7-character
FMID or APAR level, followed by a space, followed by an 8-digit release
level and an 8-digit APAR level. The 8-digit release level and the
8-digit APAR level are separated by a period (rrrrrrrr.aaaaaaaa).
Each new RACF release increments
the release level, and each APAR that ships templates increases the
APAR level. The IRRMIN00 utility uses this level information to determine
the relationship between different copies of the templates on the
system. In the following SET LIST output, HRF7708 is the FMID of the RACF release, 00000020 is the 8-digit
release level, and 00000010 is the 8-digit APAR level.
When comparing templates to determine which is the most recent, RACF first compares the 8-digit representations of their release levels. The templates having the highest release level are considered to be the latest. If the release levels are the same, RACF compares the 8-digit representations of the APAR levels, and the templates having the highest APAR level are considered to be the latest. For templates earlier than FMID HRF7708, which do not have 8-digit representations of the release level and APAR level, the release level and APAR level are each assumed to be 00000000. Note that RACF does not consider the 7-character FMID or APAR level when comparing the templates. If you install a new release of RACF or a PTF that requires a re-IPL and contains an update to the RACF templates (shipped in CSECT IRRTEMP2), you should first run the latest version of IRRMIN00 with PARM=UPDATE to write the templates from IRRTEMP2 to the RACF database. Then do the required re-IPL. During the IPL, RACF initialization builds the in-storage templates from the updated database templates. If you were installing a new release, remember to include a STEPLIB to the new SYS1.LINKLIB in your JCL for IRRMIN00 PARM=UPDATE. Note: If you do not run IRRMIN00 to update your database before you
re-IPL, RACF initialization
determines that the database does not have the latest level of the
templates, ignores the templates in the database, and automatically
uses the latest templates shipped in the CSECT IRRTEMP2. However,
until you run IRRMIN00 you might get error messages from IRRUT200
or BLKUPD during some operations, and the RACF database unload utility will not unload
new fields. Also products that read the database directly and process
the database template blocks will have problems with profile information
related to the new templates.
If you install a PTF that contains an update to the RACF templates but does not require a re-IPL (because all the modules in the PTF reside in LINKLIB), first run IRRMIN00 with PARM=UPDATE to update the database templates. Then run IRRMIN00 with PARM=ACTIVATE to have RACF replace the in-storage templates with the database templates. An IPL is not required. You do not have to enable RACF in order to run IRRMIN00 with PARM=NEW or PARM=UPDATE. Attention:
The ADDCREATOR and NOADDCREATOR keywords on the SETROPTS command determine whether RACF adds the user ID that creates a profile to the access list for the profile. The initial setting of these keywords depends on whether your database is new or old. If you run IRRMIN00 with PARM=NEW, the initial setting is NOADDCREATOR. If you run IRRMIN00 with anything other than PARM=NEW, RACF retains the current value of ADDCREATOR or NOADDCREATOR. For compatibility and migration reasons, ADDCREATOR is the default if no prior specification of ADDCREATOR or NOADDCREATOR has occurred. For more information on the ADDCREATOR and NOADDCREATOR keywords on the SETROPTS command, see z/OS Security Server RACF Command Language Reference. |
Copyright IBM Corporation 1990, 2014
|