RACF_AIM_STAGE
- Description:
- The RACF_AIM_STAGE check examines the RACF® database application identity mapping (AIM) to see whether it is at AIM stage 3, which is recommended. Your system programmer can convert your RACF database to AIM stage 3 using the IRRIRA00 conversion utility.
- Reason for check:
- AIM stage 3 allows RACF to more efficiently handle authentication and authorization requests from applications such as z/OS® UNIX and is required to use some RACF function. You should assign a unique UNIX UID for each user and a unique GID for each group that needs access to z/OS UNIX functions and resources. Assigning unique IDs rather than shared IDs improves overall security and increases user accountability. However, if you have a large number of users without OMVS segments who need access to z/OS UNIX services, such as FTP, you might choose not to assign UNIX identities in advance of their need to use the services. In these cases, when your RACF database has been converted to AIM stage 3, you can enable RACF to automatically assign unique UNIX UIDs and GIDs at the time they are needed.
- z/OS releases the check applies to:
- z/OS V1R12 and later.
- Parameters accepted:
- No
- User override of IBM values:
The following sample shows the defaults for customizable
values for this check. Use this sample to make permanent check
customizations in an HZSPRMxx parmlib member used at
IBM Health Checker for z/OS startup. If you just want a one-time
only update to the check defaults, omit the first line (ADDREPLACE POLICY)
and use the UPDATE statement on a MODIFY hzsproc command.
Note that using non-POLICY UPDATEs in HZSPRMxx can
lead to unexpected results and is therefore not recommended.
ADDREPLACE POLICY[(policyname)] [STATEMENT(name)]
UPDATE
CHECK(IBMRACF,RACF_AIM_STAGE)
SEVERITY(MED),INTERVAL(24:00),DATE('date_of_the_change')
REASON('Your reason for making the update.') - Debug support:
- No
- Verbose support:
- No
- Reference:
- For information on running the IRRIRA00 conversion utility, see z/OS Security Server RACF System Programmer's Guide.
- For information about enabling RACF for automatic assignment of unique UNIX identities, see z/OS Security Server RACF Security Administrator's Guide.
- Messages:
- This check issues the following exception messages:
- IRRH501E
- SECLABEL recommended for multilevel security users:
- SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.
- Output:
- The following shows the output from a RACF_AIM_STAGE check that
finds the system at stage 3:
CHECK(IBMRACF,RACF_AIM_STAGE) START TIME: 05/06/2011 10:51:02.926675 CHECK DATE: 20110101 CHECK SEVERITY: MEDIUM IRRH500I The RACF database is at the suggested stage of application identity mapping (AIM). The database is at AIM stage 03. END TIME: 05/06/2011 10:51:02.927390 STATUS: SUCCESSFUL - The following shows the output from an exception for RACF_AIM_STAGE:
CHECK(IBMRACF,RACF_AIM_STAGE) START TIME: 05/06/2011 11:06:27.618944 CHECK DATE: 20110101 CHECK SEVERITY: MEDIUM * Medium Severity Exception * IRRH501E The RACF database is not at the suggested stage of application identity mapping (AIM). The database is at AIM stage 00. Explanation: The RACF_AIM_STAGE check has determined that the RACF database is not at the suggested stage of application identity mapping (AIM). Your system programmer can convert your RACF database using the IRRIRA00 conversion utility. See z/OS Security Server RACF System Programmer's Guide for information about running the IRRIRA00 conversion utility. Stage 3 of application identity mapping allows RACF to more efficiently handle authentication and authorization requests from applications such as z/OS UNIX and is required to use some RACF function. You should assign a unique UNIX UID for each user and a unique GID for each group that needs access to z/OS UNIX functions and resources. Assigning unique IDs rather than shared IDs improves overall security and increases user accountability. However, if you have a large number of users without OMVS segments who need access to z/OS UNIX services, such as FTP, you might choose not to assign UNIX identities in advance of their need to use the services. In these cases, when your RACF database has been converted to AIM stage 3, you can enable RACF to automatically assign unique UNIX UIDs and GIDs at the time they are needed. See z/OS Security Server RACF Security Administrator's Guide for information about enabling RACF for automatic assignment of unique UNIX identities. System Action: The check continues processing. There is no effect on the system. Operator Response: Report this problem to the system security administrator. System Programmer Response: If you want to use RACF function such as support for automatically assigning unique UNIX UIDs and GIDs at the time that they are needed, run the IRRIRA00 utility to advance the RACF database to application identity mapping stage 3. For details about using the IRRIRA00 utility, see z/OS Security Server RACF System Programmer's Guide. Problem Determination: Source: Reference Documentation: z/OS Security Server RACF System Programmer's Guide z/OS Security Server RACF Security Administrator's Guide Automation: None. Check Reason: AIM Stage 3 is suggested. END TIME: 05/06/2011 11:06:27.620454 STATUS: EXCEPTION-MED
- The following shows the output from a RACF_AIM_STAGE check that
finds the system at stage 3: