racf6 ichza7c0
TRANSCRIPT
-
z/OS
Security Server RACFSecurity Administrator's Guide
SA22-7683-15
-
NoteBefore using this information and the product it supports, be sure to read the general information under Notices on page781.
This edition applies to z/OS Version 1 Release 13 of z/OS (5694-A01) and to all subsequent releases andmodifications until otherwise indicated in new editions.
This edition replaces SA22-7683-14.
Copyright IBM Corporation 1994, 2011.US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.
-
ContentsFigures . . . . . . . . . . . . . . xiii
Tables . . . . . . . . . . . . . . . xv
About this document . . . . . . . . xviiWho should use this document . . . . . . . xviiHow to use this document . . . . . . . . . xviiWhere to find more information . . . . . . . xvii
Softcopy documents . . . . . . . . . . xviiRACF courses . . . . . . . . . . . . xviii
IBM systems center publications. . . . . . . xviiiOther sources of information . . . . . . . . xix
Internet sources . . . . . . . . . . . . xixThe z/OS Basic Skills Information Center . . . xx
To request copies of IBM publications . . . . . xx
How to send your comments to IBM xxiIf you have a technical problem . . . . . . . xxi
Summary of changes. . . . . . . . xxiiiChanges made in z/OS Version 1 Release 13,SA22-7683-15 . . . . . . . . . . . . . xxiiiChanges made in z/OS Version 1 Release 12,SA22-7683-14 . . . . . . . . . . . . . xxivChanges made in z/OS Version 1 Release 11,SA22-7683-13 . . . . . . . . . . . . . xxv
Chapter 1. Introduction . . . . . . . . 1How RACF Meets Security Needs . . . . . . . 2
User Identification and Verification . . . . . . 2Authorization Checking . . . . . . . . . 3Logging and Reporting . . . . . . . . . . 4User Accountability . . . . . . . . . . . 5Flexibility . . . . . . . . . . . . . . 9RACF Transparency . . . . . . . . . . 10Implementing Multilevel Security . . . . . . 10
Multilevel Security . . . . . . . . . . . . 10Characteristics of a Multilevel-SecureEnvironment . . . . . . . . . . . . . 11
Administering Security . . . . . . . . . . 12Delegating Administration Tasks . . . . . . 12Administering Security When a z/VM SystemShares the RACF Database . . . . . . . . 13Using RACF Commands or Panels . . . . . 13
RACF Group and User Structure . . . . . . . 15Defining Users and Groups . . . . . . . . 16Protecting Resources . . . . . . . . . . 20Security Classification of Users and Data . . . 24Selecting RACF Options . . . . . . . . . 24
Using RACF Installation Exits to Customize RACF 24The RACROUTE REQUEST=VERIFY, VERIFYX,AUTH, and DEFINE exits . . . . . . . . 24The RACROUTE REQUEST=LIST exits . . . . 25The RACROUTE REQUEST=FASTAUTH exits. . 25
The RACF command exits . . . . . . . . 25The RACF password processing exits . . . . . 25The RACF password authentication exits . . . 26
Tools for the Security Administrator . . . . . . 26Using RACF utilities . . . . . . . . . . 26RACF block update command (BLKUPD) . . . 28Using the RACF report writer . . . . . . . 28Using the data security monitor . . . . . . 29Recording statistics in RACF profiles . . . . . 29Listing information from RACF profiles . . . . 29Searching for RACF profile names . . . . . . 32Using the LIST and SEARCH commandseffectively . . . . . . . . . . . . . . 32
Chapter 2. Organizing for RACFImplementation . . . . . . . . . . . 37Ensuring Management Commitment . . . . . . 37Selecting the Security Implementation Team . . . 38
Responsibilities of the Implementation Team . . 38Defining Security Objectives and Preparing theImplementation Plan . . . . . . . . . . . 39Deciding What to Protect . . . . . . . . . . 39
Protecting Existing Data . . . . . . . . . 40Protecting New Data . . . . . . . . . . 40Allowing a Warning Period . . . . . . . . 43
Establishing Ownership Structures. . . . . . . 43Selecting User IDs and Group Names . . . . 43Establishing Your RACF Group Structure . . . 44
Educating the System Users . . . . . . . . . 46Summary . . . . . . . . . . . . . . . 48
Chapter 3. Defining Groups and Users 51Defining RACF Groups . . . . . . . . . . 52
Types of Groups . . . . . . . . . . . . 52Group Profiles . . . . . . . . . . . . 54Defining Large Groups with the UNIVERSALAttribute . . . . . . . . . . . . . . 56Group Naming Conventions. . . . . . . . 57Benefits of Using RACF Groups . . . . . . 57Group Ownership and Levels of GroupAuthority . . . . . . . . . . . . . . 59
Summary of Steps for Defining a RACF Group . . 61Summary of Steps for Deleting Groups . . . . . 62Defining Users . . . . . . . . . . . . . 63
User Profiles . . . . . . . . . . . . . 64User Naming Conventions . . . . . . . . 75Suggestions for Defining User IDs . . . . . . 75Ownership of a RACF User Profile . . . . . 76User Attributes . . . . . . . . . . . . 76User Attributes at the Group Level . . . . . 82Suggestions for Assigning User Attributes . . . 87Verifying User Attributes . . . . . . . . . 88Default Universal Access Authority (UACC) . . 88Assigning Security Categories, Levels, and Labelsto Users . . . . . . . . . . . . . . 88
Copyright IBM Corp. 1994, 2011 iii
-
Limiting When a User Can Access the System . . 89Defining protected user IDs . . . . . . . . 90Defining restricted user IDs . . . . . . . . 91Assigning password phrases. . . . . . . . 92
Summary of Steps for Defining Users. . . . . . 94Summary of Steps for Deleting Users . . . . . . 96General Considerations for User ID Delegation . . 98
Chapter 4. Classifying Users and Data 101Security Classification of Users and Data . . . . 101
Effect On RACF Authorization Checking . . . 102Understanding Security Levels and SecurityCategories . . . . . . . . . . . . . . 103
CATEGORY and SECLEVEL Information inProfiles . . . . . . . . . . . . . . 104Converting from LEVEL to SECLEVEL . . . . 104Deleting UNKNOWN Categories . . . . . . 104Maintaining Categories in an RRSFEnvironment . . . . . . . . . . . . 104
Understanding Security Labels . . . . . . . 105Comparing Security Labels . . . . . . . . 105Considerations Related to Security Labels . . . 106How Users Specify Current Security Labels . . 107Listing Security Labels . . . . . . . . . 108Finding Out Which Security Labels a User CanUse. . . . . . . . . . . . . . . . 108Searching by Security Labels . . . . . . . 108Restricting Security Label Changes . . . . . 109Requiring Security Labels . . . . . . . . 109Controlling the Writedown Privilege . . . . 109Planning Considerations for Security Labels . . 110
Chapter 5. Specifying RACF Options 113Using the SETROPTS Command . . . . . . . 114SETROPTS Options for Initial Setup . . . . . . 115
Allowing Mixed-Case Passwords (PASSWORDOption) . . . . . . . . . . . . . . 116Establishing Password Syntax Rules(PASSWORD Option) . . . . . . . . . . 117Setting the Maximum and Minimum ChangeInterval (PASSWORD Option) . . . . . . . 117Extending Password and User ID Processing(PASSWORD Option) . . . . . . . . . . 118Revoking Unused User IDs (INACTIVE Option) 119Activating List-of-Groups Checking (GRPLISTOption) . . . . . . . . . . . . . . 120Setting the RVARY Passwords (RVARYPWOption) . . . . . . . . . . . . . . 121Restricting the Creation of General ResourceProfiles (GENERICOWNER Option) . . . . . 121Activating General Resource Classes(CLASSACT Option) . . . . . . . . . . 123Activating Generic Profile Checking and GenericCommand Processing . . . . . . . . . 123Activating statistics collection (STATISTICSoption) . . . . . . . . . . . . . . 124Activating Global Access Checking (GLOBALOption) . . . . . . . . . . . . . . 128RACF-Protecting All Data Sets (PROTECTALLOption) . . . . . . . . . . . . . . 128
Activating JES2 or JES3 RACF Support . . . . 129Preventing Access to Uncataloged Data Sets(CATDSNS Option) . . . . . . . . . . 129Activating Enhanced Generic Naming for theDATASET Class (EGN Option) . . . . . . 131Controlling Data Set Modeling (MODEL Option) 131Bypassing Automatic Data Set Protection(NOADSP Option). . . . . . . . . . . 132Displaying and Logging Real Data Set Names(REALDSN Option) . . . . . . . . . . 132Protecting Data Sets with Single-QualifierNames (PREFIX Option). . . . . . . . . 132Activating Tape Data Set Protection (TAPEDSNOption) . . . . . . . . . . . . . . 133Activating Tape Volume Protection (TAPEVOLOption) . . . . . . . . . . . . . . 133Establishing a Security Retention Period forTape Data Sets (RETPD Option) . . . . . . 133Erasing Scratched or Released Data (ERASEOption) . . . . . . . . . . . . . . 135Establishing National Language Defaults(LANGUAGE Option) . . . . . . . . . 136
SETROPTS Options to Activate In-Storage ProfileProcessing . . . . . . . . . . . . . . 136
SETROPTS GENLIST Processing . . . . . . 137SETROPTS RACLIST Processing . . . . . . 138
SETROPTS REFRESH Option for Special Cases . . 141Refreshing In-Storage Generic Profile Lists(GENERIC REFRESH Option) . . . . . . . 141Refreshing Global Access Checking Lists(GLOBAL REFRESH Option) . . . . . . . 142Refreshing Shared Systems (REFRESH Option) 142
SETROPTS Options for Special Purposes . . . . 143Protecting Undefined Terminals (TERMINALOption) . . . . . . . . . . . . . . 143Activating the Security Classification of Usersand Data . . . . . . . . . . . . . . 143Establishing the Maximum VTAM SessionInterval (SESSIONINTERVAL Option) . . . . 144Activating Program Control(WHEN(PROGRAM) Option) . . . . . . . 144
SETROPTS Options Related to Security Labels . . 145Restricting Changes to Security Labels(SECLABELCONTROL option) . . . . . . 145Preventing Changes to Security Labels(MLSTABLE Option) . . . . . . . . . . 146Quiescing RACF Activity (MLQUIET Option) 146Preventing the Copying of Data to a LowerSecurity Label (SETROPTS MLS Option) . . . 147Activating Compatibility Mode For SecurityLabels (COMPATMODE Option) . . . . . . 147Enforcing Multilevel Security (MLACTIVEOption) . . . . . . . . . . . . . . 148Restricting Access to z/OS UNIX Files andDirectories (MLFSOBJ Option). . . . . . . 150Restricting Access to InterprocessCommunication Objects (MLIPCOBJ Option) . . 150Using Name-hiding (MLNAMES Option) . . . 151Activating Security Labels by System Image(SECLBYSYSTEM Option) . . . . . . . . 151
iv z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
SETROPTS Options for Automatic Control ofAccess List Authority. . . . . . . . . . . 152
Automatic Addition of Creator's User ID toAccess List . . . . . . . . . . . . . 152Automatic Omission of Creator's User ID fromAccess List . . . . . . . . . . . . . 152
Specifying the Encryption Method for UserPasswords . . . . . . . . . . . . . . 152Using Started Procedures . . . . . . . . . 153
Assigning RACF User IDs to Started Procedures 154Authorizing Access to Resources . . . . . . 155Setting Up the STARTED Class . . . . . . 155Using the Started Procedures Table (ICHRIN03) 157Started Procedure Considerations. . . . . . 158
Chapter 6. Protecting Data Sets onDASD and Tape . . . . . . . . . . 161Protecting Data Sets . . . . . . . . . . . 162
Rules for Defining Data Set Profiles . . . . . 162Controlling the Creation of New Data Sets . . 165Data Set Profile Ownership. . . . . . . . 166Data Set Profiles . . . . . . . . . . . 167Rules for Generic Data Set Profile Names . . . 168Automatic Profile Modeling for Data Sets . . . 175Password-Protected Data Sets . . . . . . . 177Protecting GDG Data Sets . . . . . . . . 178Protecting Data Sets That Have DuplicateNames . . . . . . . . . . . . . . 179Disallowing Duplicate Names for Data SetProfiles . . . . . . . . . . . . . . 179Using the PROTECT Operand or SECMODELfor Non-VSAM Data Sets . . . . . . . . 179Protecting Multivolume Data Sets with DiscreteProfiles . . . . . . . . . . . . . . 180
Protecting DASD Data Sets . . . . . . . . . 181Access Authorities for DASD Data Sets . . . . 181Erasing of Scratched (Deleted) DASD Data Sets 182Comparison of Password and RACFAuthorization Requirements for VSAM. . . . 183Protecting Catalogs . . . . . . . . . . 183Protecting DASD System Data Sets . . . . . 183
DASD Volume Authority . . . . . . . . . 185DFSMSdss Storage Administration . . . . . . 186Protecting Data on Tape . . . . . . . . . . 186
Using DFSMSrmm with RACF . . . . . . 187Choosing Which Tape-Related Options to Use 187Protecting Existing Data on Tape (SETROPTSTAPEDSN in Effect) . . . . . . . . . . 189Protecting New Data on Tape . . . . . . . 190Security Levels and Security Categories forTapes . . . . . . . . . . . . . . . 193Security Labels for Tapes . . . . . . . . 194Tape Volume Profiles That Contain a TVTOC 194Predefining Tape Volume Profiles for Tape DataSets . . . . . . . . . . . . . . . 196RACF Security Retention Period Processing(TAPEDSN Must Be Active) . . . . . . . 197Authorization Requirements for Tape Data SetsWhen Both TAPEVOL and TAPEDSN AreActive . . . . . . . . . . . . . . . 199
Authorization Requirements for Tape Data SetsWhen TAPEVOL Is Inactive and TAPEDSN IsActive . . . . . . . . . . . . . . . 200Authorization Requirements for Tape Data SetsWhen TAPEVOL Is Active and TAPEDSN IsInactive . . . . . . . . . . . . . . 200JCL Changes . . . . . . . . . . . . 200Installations with DFSMShsm . . . . . . . 200IEC.TAPERING Profile in the FACILITY Class 201Password-Protected Tape Data Sets . . . . . 201Using the PROTECT Parameter for Tape DataSet or Tape Volume Protection . . . . . . . 201Multivolume Tape Data Sets . . . . . . . 202RACF Authorization of Bypass Label Processing(BLP) . . . . . . . . . . . . . . . 202Authorization Requirements for Labels . . . . 203Tape Data Set and Tape Volume Protection withNonstandard Labels (NSL) . . . . . . . . 203Tape Data Set and Tape Volume Protection forNonlabeled (NL) Tapes . . . . . . . . . 203
Chapter 7. Protecting GeneralResources. . . . . . . . . . . . . 205Defining Profiles for General Resources . . . . 207
Summary of Steps for Defining GeneralResource Profiles . . . . . . . . . . . 207Choosing Between Discrete and Generic Profilesin General Resource Classes . . . . . . . 210Disallowing Generic Profile Names for GeneralResources . . . . . . . . . . . . . 210Choosing Among Generic Profiles, ResourceGroup Profiles, and RACFVARS Profiles . . . 211Rules for Generic Profile Names . . . . . . 211Generic Profile Checking of General Resources 213Generic Profile Performance . . . . . . . 215Granting Access Authorities . . . . . . . 216Conditional Access Lists for General ResourceProfiles . . . . . . . . . . . . . . 217
Setting Up the Global Access Checking Table . . . 218How Global Access Checking Works . . . . 219Candidates for Global Access Checking. . . . 219Creating Global Access Checking Table Entries 219Stopping Global Access Checking for a SpecificClass . . . . . . . . . . . . . . . 223Listing the Global Access Checking Table . . . 223Special Considerations for Global AccessChecking . . . . . . . . . . . . . . 223
Field-level access checking . . . . . . . . . 225Planning for Profiles in the FACILITY Class . . . 232
Delegating help desk functions . . . . . . 232Delegating authority to profiles in the FACILITYclass . . . . . . . . . . . . . . . 233
Creating Resource Group Profiles. . . . . . . 233Adding a Resource to a Profile . . . . . . 235Deleting a Resource from a Profile . . . . . 235Which Profiles Protect a Particular Resource? 235Resolving Conflicts among Multiple Profiles . . 235Considerations for Resource Group Profiles . . 236
Using RACF Variables in Profile Names(RACFVARS Class) . . . . . . . . . . . 237
Defining RACF Variables . . . . . . . . 238
Contents v
-
Example of Protecting Several Tape VolumesUsing the RACFVARS Class . . . . . . . 238Using RACF Variables . . . . . . . . . 239How RACF uses the RACFVARS member list 240Using RACFVARS with Mixed-Case Classes . . 242
Controlling VTAM LU 6.2 Bind . . . . . . . 243Protecting Applications . . . . . . . . . . 245Protecting DFP-Managed Temporary Data Sets . . 246Protecting File Services Provided by LFS/ESA . . 246Protecting Terminals . . . . . . . . . . . 247
Creating Profiles in the TERMINAL andGTERMINL Classes . . . . . . . . . . 247Controlling the Use of Undefined Terminals . . 248Limiting Specific Groups of Users to SpecificTerminals. . . . . . . . . . . . . . 249Limiting the Times That a Terminal Can BeUsed . . . . . . . . . . . . . . . 250Using Security Labels to Control Terminals . . 250Using the TSO LOGON Command with theRECONNECT Operand . . . . . . . . . 250
Protecting Consoles . . . . . . . . . . . 251Using Security Labels to Control Consoles. . . 252
Using the Secured Signon Function . . . . . . 252The RACF PassTicket. . . . . . . . . . 253Activating the PTKTDATA Class . . . . . . 253Defining Profiles in the PTKTDATA Class . . . 253When the Profile Definitions Are Complete . . 259How RACF Processes the Password orPassTicket . . . . . . . . . . . . . 259Enabling the Use of PassTickets . . . . . . 261
Protecting the Vector Facility . . . . . . . . 263Controlling Access to Program Dumps . . . . . 263
Using RACF to Control Access to ProgramDumps . . . . . . . . . . . . . . 263Using Non-RACF Methods to Control Access toProgram Dumps . . . . . . . . . . . 265
Controlling the Allocation of Devices . . . . . 265Protecting LLA-Managed Data Sets . . . . . . 268Controlling Data Lookaside Facility (DLF) Objects(Hiperbatch). . . . . . . . . . . . . . 269Using RACROUTE REQUEST=LIST,GLOBAL=YESSupport . . . . . . . . . . . . . . . 271
The RACGLIST Class. . . . . . . . . . 271Administering the Use of Operator Commands . . 272
Authorizing the Use of Operator Commands 273Command Authorization in an MCS Sysplex 274Controlling the Use of Operator Commands . . 274
Controlling the Use of Remote Sharing Functions 279Controlling Access to the RACLINK Command 279Controlling Password Synchronization . . . . 280Controlling the Use of the AT Operand. . . . 281Controlling the Use of the ONLYAT Operand 281Controlling Automatic Direction . . . . . . 282
Establishing Security for the RACF ParameterLibrary . . . . . . . . . . . . . . . 286Controlling Message Traffic. . . . . . . . . 287Controlling the Opening of VTAM ACBs . . . . 288RACF and PSF (Print Services Facility) . . . . . 288Auditing When Users Receive Message Traffic . . 289RACF and APPC . . . . . . . . . . . . 289
User Verification during APPC Transactions . . 289
Protection of APPC/MVS Transaction Programs(TPs) . . . . . . . . . . . . . . . 290LU Security Capabilities . . . . . . . . . 291Origin LU Authorization . . . . . . . . 291Protection of APPC Server IDs (APPCSERV) . . 292
RACF and CICS . . . . . . . . . . . . 292RACF and DB2 . . . . . . . . . . . . . 292RACF and IMS . . . . . . . . . . . . . 292RACF and ICSF . . . . . . . . . . . . 292RACF and z/OS UNIX . . . . . . . . . . 293RACF Support for NDS and Lotus Notes for z/OS 293
Administering Application User Identities . . . 293System Considerations . . . . . . . . . 294Authorizing Applications to Use IdentityMapping . . . . . . . . . . . . . . 296Considerations for Application User Names . . 297
Storing encryption keys using the KEYSMSTR class 297Steps for storing a key in a KEYSMSTR profile 298
Defining delegated resources . . . . . . . . 299Steps for authorizing daemons to use delegatedresources . . . . . . . . . . . . . . 300
Chapter 8. Administering the DynamicClass Descriptor Table (CDT) . . . . 301Overview of the class descriptor table . . . . . 301
Restrictions for applications and vendorproducts . . . . . . . . . . . . . . 302
Using the dynamic CDT. . . . . . . . . . 302Profiles in the CDT class . . . . . . . . 303
Adding a dynamic class with a unique POSITvalue . . . . . . . . . . . . . . . . 304
Steps for adding a dynamic class with a uniquePOSIT value . . . . . . . . . . . . . 304
Adding a dynamic class that shares a POSIT value 305Processing options that are controlled by ashared POSIT value . . . . . . . . . . 306Rules about disallowing generics when sharinga POSIT value . . . . . . . . . . . . 307Steps for adding a dynamic class with a sharedPOSIT value . . . . . . . . . . . . . 307
Changing a POSIT value for a dynamic class . . . 308Steps for changing a POSIT value of an existingdynamic class . . . . . . . . . . . . 308
Guidelines for changing dynamic CDT entries . . 309Defining a dynamic class with generics disallowed 311
Steps for changing a dynamic class to disallowgeneric profiles . . . . . . . . . . . . 311
Deleting a class from the dynamic CDT . . . . 312Steps for deleting a dynamic CDT class . . . 313
Disabling the dynamic CDT . . . . . . . . 315Re-enabling a previously defined dynamic class 315
Steps to re-enable a previously defined dynamicclass . . . . . . . . . . . . . . . 315
Migrating to the dynamic CDT . . . . . . . 316Sysplex considerations for the dynamic CDT . . . 318Shared system considerations for the dynamic CDT 318
Shared system rules for disallowing genericswith dynamic classes . . . . . . . . . . 319
RRSF considerations for the dynamic CDT . . . 319
vi z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
Chapter 9. Protecting Programs . . . 321Overview of protecting programs. . . . . . . 321Program security modes. . . . . . . . . . 323
Simple program protection in BASIC orENHANCED mode . . . . . . . . . . 324Program control by SMFID in BASIC orENHANCED mode . . . . . . . . . . 327Maintaining a clean environment in BASIC orENHANCED mode . . . . . . . . . . 327More complex controls: Using EXECUTE accessfor programs or libraries (BASIC mode) . . . 329Migrating from BASIC to ENHANCED programsecurity mode . . . . . . . . . . . . 330
Protecting program libraries . . . . . . . . 332Program access to data sets (PADS) in BASICmode . . . . . . . . . . . . . . . 333Choosing between the PADCHK andNOPADCHK operands . . . . . . . . . 337
Program access to SERVAUTH resources in BASICor ENHANCED mode . . . . . . . . . . 338ENHANCED program security mode . . . . . 339
Program access to data sets (PADS) inENHANCED mode . . . . . . . . . . 339Using EXECUTE access for programs andlibraries in ENHANCED mode . . . . . . 339When to use MAIN or BASIC . . . . . . . 340Defining programs as MAIN or BASIC . . . . 341
How protection works for programs and PADS . . 342How program control works . . . . . . . 343Informational messages for program control . . 343Authorization checking for access control toload modules . . . . . . . . . . . . 343Authorization checking for access control todata sets . . . . . . . . . . . . . . 344
Processing for execute-controlled libraries . . . . 345Examples of controlling programs and using PADS 347
Examples of defining load modules ascontrolled programs . . . . . . . . . . 348Examples of setting up program access to datasets. . . . . . . . . . . . . . . . 348Example of setting up an execute-controlledlibrary. . . . . . . . . . . . . . . 349Example of setting up program control bysystem ID . . . . . . . . . . . . . 350
Chapter 10. Program signing andverification . . . . . . . . . . . . 351Overview of program signing and verification . . 351
Terms to know . . . . . . . . . . . . 352Related information . . . . . . . . . . 352Task roadmap for program signing andsignature verification . . . . . . . . . . 352
Enabling a user to sign a program . . . . . . 352Overview of enabling a user to sign a program 353Steps for enabling a user to sign a programusing RACF code-signing certificates . . . . 355Steps for enabling a user to sign a programusing external code-signing certificates . . . . 357
Enabling RACF to verify signed programs. . . . 359
Overview of enabling RACF to verify signedprograms . . . . . . . . . . . . . . 359Steps for discovering if signed programscurrently execute on your systems (optional) . . 363Steps for preparing RACF to verify signedprograms (one-time setup) . . . . . . . . 365Steps for verifying a signed program . . . . 366
Chapter 11. Operating Considerations 369Coordinating Profile Updates . . . . . . . . 369
RACF Commands for Flushing a VLF Cache 370Getting Started with RACF (after First InstallingRACF). . . . . . . . . . . . . . . . 371
Logging On as IBMUSER and Checking InitialConditions . . . . . . . . . . . . . 372Defining Administrator User IDs for Your OwnUse. . . . . . . . . . . . . . . . 373Defining at Least One User ID to Be Used forEmergencies Only . . . . . . . . . . . 373Logging on as RACFADM, Checking Groupsand Users, and Revoking IBMUSER . . . . . 373Defining the Groups Needed for the First Users 374Defining a System-Wide Auditor . . . . . . 374Defining Users and Groups. . . . . . . . 374Defining Group Administrators, GroupAuditors, and Data Managers . . . . . . . 374Protecting System Data Sets . . . . . . . 375Setting RACF Options . . . . . . . . . 376
Using the Data Security Monitor (DSMON) . . . 376JCL Parameters Related to RACF . . . . . . . 380Restarting Jobs . . . . . . . . . . . . . 381Bypassing Password Protection . . . . . . . 381Controlling Access to RACF Passwords. . . . . 381Authorizing Only RACF-Defined Users to AccessRACF-Protected Resources . . . . . . . . . 382Using the TSO or ISPF Editor . . . . . . . . 383Service by IBM Personnel . . . . . . . . . 383Failsoft Processing. . . . . . . . . . . . 383
Failsoft Processing with Tape Data Sets . . . . 384Considerations for RACF Databases . . . . . . 385
Backup RACF Database . . . . . . . . . 385Multiple Data Set Support . . . . . . . . 385Protecting the RACF Database. . . . . . . 385Using RACF Data Sharing . . . . . . . . 386Sharing Data without Sharing a RACF Database 386Number of Resident Data Blocks . . . . . . 386
Chapter 12. Working With The RACFDatabase . . . . . . . . . . . . . 387Using the RACF Database Unload Utility(IRRDBU00) . . . . . . . . . . . . . . 388
Diagnosis. . . . . . . . . . . . . . 388Performance Considerations . . . . . . . 388Operational Considerations. . . . . . . . 389Running the Database Unload Utility . . . . 390Allowable Parameters . . . . . . . . . 392Using the Database Unload Utility OutputEffectively . . . . . . . . . . . . . 393
Using the RACF remove ID (IRRRID00) utility . . 410IRRRID00 Job Control Statements . . . . . 412
Contents vii
-
IRRRID00 return codes . . . . . . . . . 415Finding Residual IDs . . . . . . . . . . 415Creating Commands to Remove IDs. . . . . 417Using IRRRID00 output . . . . . . . . . 418Processing Profiles and Resources . . . . . 421What IRRRID00 Verifies . . . . . . . . . 422Database Objects That Are Not Processed . . . 423Processing a Hierarchy of Groups . . . . . 423Processing Global Profiles . . . . . . . . 423Processing General Resource Profiles . . . . 423Processing MEMBER Data . . . . . . . . 424Processing Universal Groups . . . . . . . 424IRRRID00 and Tivoli . . . . . . . . . . 424Time Required to Run IRRRID00 . . . . . . 425
Chapter 13. The RACF remote sharingfacility (RRSF) . . . . . . . . . . . 427The RRSF network . . . . . . . . . . . 429
RRSF nodes . . . . . . . . . . . . . 429Establishing User ID associations in the RRSFnetwork . . . . . . . . . . . . . . . 430
Types of User ID Associations . . . . . . . 431Password Synchronization . . . . . . . . 431
User ID associations . . . . . . . . . . . 432Defining User ID Associations . . . . . . . 432Approving User ID Associations . . . . . . 433Deleting User ID Associations . . . . . . . 433Listing User ID Associations . . . . . . . 434
Command Direction . . . . . . . . . . . 434Commands That Are Not Eligible for CommandDirection . . . . . . . . . . . . . . 434Directing Commands Using the AT Option . . 435Directing Commands Using the ONLYATOption . . . . . . . . . . . . . . 437Order considerations for directed commandsand application updates . . . . . . . . . 438Directing commands to incompatible systems 439
Automatic direction . . . . . . . . . . . 439Preparing to Use Automatic Direction . . . . 441Output Processing . . . . . . . . . . . 444Interactions among Automatic DirectionFunctions and Password Synchronization . . . 449Using Automatic Direction of Commands . . . 451Using Automatic Direction of ApplicationUpdates . . . . . . . . . . . . . . 454Using Automatic Password Direction . . . . 457Synchronizing database profiles . . . . . . 459
Establishing RACF security for RRSF TCP/IPconnections . . . . . . . . . . . . . . 459
Task roadmap for establishing RACF securityfor RRSF TCP/IP connections . . . . . . . 460Administer profiles in the SERVAUTH class toenable RRSF to use TCP/IP node connections . 460Implementing an RRSF trust policy . . . . . 462
Chapter 14. Providing Security forJES . . . . . . . . . . . . . . . 471Planning for Security . . . . . . . . . . . 472How JES and RACF Work Together . . . . . . 473Defining JES as a RACF Started Procedure . . . 473
Forcing Batch Users to Identify Themselves toRACF . . . . . . . . . . . . . . . . 474Support for Execution Batch Monitor (XBM) (JES2Only) . . . . . . . . . . . . . . . . 474Defining and Grouping Operators . . . . . . 474JES User ID Early Verification . . . . . . . . 475User ID Propagation When Jobs Are Submitted . . 475
Allowing Surrogate Job Submission . . . . . 475Controlling User ID Propagation in a LocalEnvironment . . . . . . . . . . . . 477
Using Protected User IDs for Batch Jobs . . . . 478Propagating Protected User IDs . . . . . . 478Using Protected User IDs for Surrogate JobSubmission . . . . . . . . . . . . . 478
Where NJE Jobs Are Verified . . . . . . . . 478How SYSOUT Requests Are Verified . . . . . 479Security Labels for JES Resources. . . . . . . 480Controlling Access to Data Sets JES Uses . . . . 480Controlling Input to Your System. . . . . . . 481
How RACF Validates Users . . . . . . . 481Controlling the Use of Job Names . . . . . 482Authorizing the Use of Input Sources . . . . 485
Authorizing Network Jobs and SYSOUT (NJE) . . 486Authorizing Inbound Work. . . . . . . . 487Authorizing Outbound Work . . . . . . . 504
Controlling Access to Spool Data . . . . . . . 504Protecting Data Sets on Spools . . . . . . 504Defining Profiles for SYSIN and SYSOUT DataSets . . . . . . . . . . . . . . . 505Letting Users Create Their Own JESSPOOLProfiles . . . . . . . . . . . . . . 507Protecting JESNEWS . . . . . . . . . . 508Protecting Trace Data Sets (JES2 Only) . . . . 510Protecting SYSLOG . . . . . . . . . . 510Spool Offload Considerations (JES2 Only) . . . 510How RACF Affects Jobs Dumped from andRestored to Spool (JES3 Only) . . . . . . . 511
Authorizing Console Access . . . . . . . . 511MCS Consoles . . . . . . . . . . . . 511Remote Workstations (RJP/RJE Consoles) . . . 512JES3 Consoles . . . . . . . . . . . . 514
Controlling Where Output Can Be Processed . . . 514Authorizing the Use of Your Installation's Printers 515Authorizing the Use of Operator Commands . . . 516
Commands from RJE Work Stations . . . . . 516Commands from NJE Nodes . . . . . . . 516Who Authorizes Commands When RACF IsActive . . . . . . . . . . . . . . . 517
Chapter 15. RACF and StorageManagement Subsystem (SMS). . . . 519Overview of RACF and SMS . . . . . . . . 519RACF General Resource Classes for Protecting SMSClasses . . . . . . . . . . . . . . . 519Controlling the Use of SMS Classes . . . . . . 520
Refreshing Profiles for SETROPTS RACLISTProcessing for MGMTCLAS and STORCLAS . . 521
DFP Segment in RACF Profiles . . . . . . . 521DFP Segment in User and Group Profiles . . . 522DFP Segment in Data Set Profiles. . . . . . 523
viii z/OS V1R13.0 Security Server RACF Security Administrator's Guide
|||||||||||
-
How RACF Uses the Information in the DFPSegments . . . . . . . . . . . . . . 524Controlling Access to the DFP Segment. . . . 524
Controlling the Use of Other SMS Resources . . . 527
Chapter 16. RACF and TSO/E . . . . 529TSO/E Administration Considerations . . . . . 529Protecting TSO Resources . . . . . . . . . 530Authorization Checking for Protected TSOResources . . . . . . . . . . . . . . 533Field-Level Access Checking for TSO . . . . . 533Controlling the Use of the TSO SEND Command 533Restricting Spool Access by TSO Users . . . . . 534TSO Commands That Relate to RACF . . . . . 534Using TSO When RACF Is Deactivated . . . . . 535
Chapter 17. RACF and z/OS UNIX. . . 537Defining group identifiers (GIDs). . . . . . . 538Defining user identifiers (UIDs) . . . . . . . 539
Listing UIDs and GIDs . . . . . . . . . 539Superuser authority . . . . . . . . . . 540Setting z/OS UNIX user limits . . . . . . 540Protected user IDs . . . . . . . . . . . 541
Controlling the use of shared UNIX identities . . 541Sharing IDs . . . . . . . . . . . . . 541Defining the SHARED.IDS profile in theUNIXPRIV class . . . . . . . . . . . 542Using the SHARED operand . . . . . . . 542
Enabling automatic assignment of unique UNIXidentities . . . . . . . . . . . . . . . 543
Automatically assigning unique IDs usingRACF commands . . . . . . . . . . . 544Automatically assigning unique IDs throughUNIX services . . . . . . . . . . . . 545RRSF considerations for automatic IDassignment . . . . . . . . . . . . . 549
Enabling default OMVS segments processing . . . 550z/OS UNIX performance considerations . . . . 552
Converting to stage 3 of application identitymapping . . . . . . . . . . . . . . 553Using the UNIXMAP class and VirtualLookaside Facility (VLF). . . . . . . . . 553
Using UNIXPRIV class profiles to manage z/OSUNIX privileges . . . . . . . . . . . . 556
Example of authorizing superuser privileges 557Allowing z/OS UNIX users to change fileownerships . . . . . . . . . . . . . 557Configuring the group owner for new UNIXfiles . . . . . . . . . . . . . . . 558
Protecting file system resources . . . . . . . 559Administering ACLs . . . . . . . . . . 559
z/OS UNIX application considerations . . . . . 562Threads and security . . . . . . . . . . 562Application services and security . . . . . . 564Restrictions of RACF client ACEE support. . . 564
Auditing z/OS UNIX security events . . . . . 565
Chapter 18. RACF and digitalcertificates . . . . . . . . . . . . 567Overview of digital certificates . . . . . . . 568
Public and private keys . . . . . . . . . 568X.509 certificates . . . . . . . . . . . 569Certificate hierarchies. . . . . . . . . . 570Certificate formats . . . . . . . . . . . 571Using certificates with z/OS client/serverapplications . . . . . . . . . . . . . 572Enabling client login using certificates . . . . 575
Using RACF to manage digital certificates . . . . 577Size considerations for public and private keys 578
Using the RACDCERT command to administercertificates . . . . . . . . . . . . . . 579
Sharing the RACF database with a z/VMsystem . . . . . . . . . . . . . . 580Controlling the Use of the RACDCERTCommand . . . . . . . . . . . . . 580Examples of adding digital certificateinformation . . . . . . . . . . . . . 583Examples of listing digital certificateinformation . . . . . . . . . . . . . 583Examples of checking digital certificateinformation . . . . . . . . . . . . . 588Examples of altering digital certificateinformation . . . . . . . . . . . . . 590Examples of deleting digital certificates. . . . 590
DIGTCERT general resource profiles. . . . . . 591DIGTCERT profile names . . . . . . . . 591Ownership of DIGTCERT profiles . . . . . 592RACLISTing the DIGTCERT class . . . . . 592
RACF and key rings . . . . . . . . . . . 593DIGTRING general resource profiles . . . . 594Sharing a private key using a key ring . . . . 595Using a virtual key ring . . . . . . . . . 595
RACF and z/OS PKCS #11 tokens . . . . . . 595Creating and populating PKCS #11 tokens. . . 596
Certificate name filtering . . . . . . . . . 598Interpreting the X.500 directory information tree 598Creating certificate name filters . . . . . . 599Types of certificate name filters . . . . . . 601How RACF processes certificate name filters 605Using an existing certificate as a model. . . . 605Excluding a certificate by using the NOTRUSToption . . . . . . . . . . . . . . . 606Mapping multiple user IDs using additionalcriteria . . . . . . . . . . . . . . 606
Automatic registration of digital certificates . . . 610Integrated Cryptographic Service Facility (ICSF)considerations . . . . . . . . . . . . . 611
Using a PCI cryptographic coprocessor togenerate private keys . . . . . . . . . . 611Migrating an ICSF private key from one systemto another . . . . . . . . . . . . . 611
The irrcerta, irrmulti, and irrsitec user IDs. . . . 613Renewing an expiring certificate . . . . . . . 613
Renewing a certificate with the same privatekey . . . . . . . . . . . . . . . . 614Renewing (rekeying) a certificate with a newprivate key . . . . . . . . . . . . . 615
Supplied digital certificates . . . . . . . . . 618Steps to begin using a supplied CA certificate 619
Implementation scenarios . . . . . . . . . 620
Contents ix
-
Scenario 1: Secure Server with a CertificateSigned by a Certificate Authority . . . . . . 620Scenario 2: Secure Server with a Locally SignedCertificate . . . . . . . . . . . . . 621Scenario 3: Migrating an ikeyman or gskkymanCertificate . . . . . . . . . . . . . 622Scenario 4: Secure Server-to-Server SessionEnablement . . . . . . . . . . . . . 623Scenario 5: Creating Client Browser Certificateswith a Locally Signed Certificate . . . . . . 624Scenario 6: Enabling Secure Outbound FTP . . 625Scenario 7: Sharing One Certificate BetweenMultiple Servers . . . . . . . . . . . 626Scenario 8: Using the IBM Encryption Facilityfor z/OS . . . . . . . . . . . . . . 627
Chapter 19. Controlling applicationsthat invoke callable services . . . . . 629Authorizing applications . . . . . . . . . 629
Defining applications as RACF users . . . . 630Defining resources that control callable services 630Activating your authorizations . . . . . . 630
initACEE (IRRSIA00) callable service . . . . . 631Registering user certificates. . . . . . . . 631Deregistering user certificates . . . . . . . 631Replacing certificate-authority certificates . . . 631Using a hostIdMappings extension . . . . . 632
R_admin (IRRSEQ00) callable service . . . . . 633R_auditx (IRRSAX00) callable service . . . . . 633R_cacheserv (IRRSCH00) callable service . . . . 633R_datalib (IRRSDL00 or IRRSDL64) callable service 634
Extracting private keys . . . . . . . . . 634Managing certificate serial numbers . . . . . 634
R_dcekey (IRRSDK00) callable service . . . . . 634R_GetInfo (IRRSGI00) callable service . . . . . 635R_dceruid (IRRSUD00) callable service . . . . . 635R_PKIServ (IRRSPX00) callable service . . . . . 635
Authorizing end-user functions . . . . . . 636Authorizing administrative functions . . . . 638
R_proxyserv (IRRSPY00) callable service . . . . 639R_ticketserv (IRRSPK00) callable service . . . . 640
Permitting access to the IRR.RTICKETSERVresource . . . . . . . . . . . . . . 640
Chapter 20. RACF and the z/OS LDAPserver . . . . . . . . . . . . . . 641Defining an LDAPBIND class profile . . . . . 641LDAP event notification . . . . . . . . . . 642
LDAP change log entries . . . . . . . . 643LDAP notification occurs in real-time only . . 645RRSF considerations for applications that exploitenveloping . . . . . . . . . . . . . 645Activating LDAP change notification . . . . 645Disabling LDAP change notification . . . . . 646
Chapter 21. Password and passwordphrase enveloping . . . . . . . . . 647Overview of enveloping . . . . . . . . . . 647
Resources that control enveloping . . . . . 648
Signing hash algorithm and encryption strengthused to create the envelope. . . . . . . . 649The IRR.PWENV.KEYRING key ring . . . . 650Controlling envelope retrieval . . . . . . . 650The NOTIFY.LDAP.USER resource . . . . . 650
Setting up enveloping . . . . . . . . . . 650Preparing the address space of the RACFsubsystem . . . . . . . . . . . . . 651Generating a local CA certificate using RACF asthe CA . . . . . . . . . . . . . . 651Generating an X.509 V3 certificate for the RACFaddress space . . . . . . . . . . . . 652Generating an X.509 V3 certificate for theenvelope recipient . . . . . . . . . . . 653Copying the certificates to the host system (ifgenerated elsewhere) . . . . . . . . . . 655Exporting RACF's certificate to the recipient keydatabase . . . . . . . . . . . . . . 656Authorizing the envelope recipient . . . . . 657
Activating enveloping . . . . . . . . . . 657Disabling enveloping . . . . . . . . . . . 659
Steps for disabling enveloping and deletingexisting envelopes . . . . . . . . . . . 660
Planning considerations for heterogeneouspassword synchronization . . . . . . . . . 661
Chapter 22. Defining and usingcustom fields . . . . . . . . . . . 663Overview of custom fields . . . . . . . . . 663Task roadmap for defining and using custom fields 664Defining a custom field and its field attributes . . 664
Profiles in the CFIELD class . . . . . . . 665Steps for defining a custom field and itsattributes . . . . . . . . . . . . . . 666
Activating a custom field . . . . . . . . . 669Steps for activating a custom field . . . . . 669
Adding data to a custom field . . . . . . . . 670Steps for adding data to a custom field. . . . 670
Authorizing users to define custom fields . . . . 672Steps for authorizing users to define customfields . . . . . . . . . . . . . . . 672
Authorizing users to update data in a custom field 673Authorizing users for the ISPF panels to updatecustom field data . . . . . . . . . . . 673Steps for authorizing users to update data in acustom field . . . . . . . . . . . . . 673
Changing attributes of an existing custom field . . 674When you need to change the data type . . . 675When you need to change the MAXLENGTH ofa numeric field . . . . . . . . . . . . 676
Removing a custom field . . . . . . . . . 678Steps for removing a custom field . . . . . 678
Common errors when defining and using customfields . . . . . . . . . . . . . . . . 679
Errors defining a custom field . . . . . . . 679Errors adding data to a custom field . . . . 679
RRSF considerations for custom fields . . . . . 681
Chapter 23. Authorizing help deskfunctions . . . . . . . . . . . . . 683
x z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
Delegating the authority to list user information 684Delegating the authority to list user informationin any user profile. . . . . . . . . . . 684Delegating the authority to list user informationin only selected user profiles . . . . . . . 685Delegating the authority to list user informationby owner . . . . . . . . . . . . . . 686Delegating the authority to list user informationby group tree . . . . . . . . . . . . 687Excluding selected user profiles . . . . . . 688
Delegating the authority to reset passwords andpassword phrases . . . . . . . . . . . . 689
Levels of authority . . . . . . . . . . 690Delegating the authority to reset the passwordfor any user . . . . . . . . . . . . . 691Delegating the authority to reset passwords foronly selected users . . . . . . . . . . 692Delegating the authority to reset passwords byowner . . . . . . . . . . . . . . . 693Delegating the authority to reset passwords bygroup tree . . . . . . . . . . . . . 694Excluding selected users. . . . . . . . . 695
Delegating both by owner and by group tree . . . 697Examples of delegating help desk authorities . . . 697
Delegating help desk authorities by owner . . 697Delegating help desk authorities by group tree 698Delegating help desk authorities for all users,excluding selected users . . . . . . . . . 699
Chapter 24. Distributed identity filters 701Overview of distributed identity filters . . . . . 701
What is a distributed identity filter? . . . . . 701Applications that support distributed identityfilters . . . . . . . . . . . . . . . 702Overview of the RACMAP command . . . . 702Profiles in the IDIDMAP class . . . . . . . 703RACMAP command updates to user profiles 703DELUSER processing with distributed identityfilters . . . . . . . . . . . . . . . 703IRRRID00 considerations for distributed identityfilters . . . . . . . . . . . . . . . 704Details about specifying user and registrynames . . . . . . . . . . . . . . . 704Restrictions for UTF-8 data values . . . . . 708
Defining a filter for a non-LDAP user name . . . 709Steps for defining a filter for a non-LDAP username . . . . . . . . . . . . . . . 709
Defining a filter for an X.500 user identity . . . . 710Steps for defining a filter for a full X.500 DN 710Steps for defining a filter using selected RDNs 711
Deleting a distributed identity filter . . . . . . 713Steps for deleting a distributed identity filter 713
Appendix A. Supplied RACF resourceclasses . . . . . . . . . . . . . . 715Supplied resource classes for z/OS systems . . . 715Supplied resource classes for z/VM systems . . . 723
Appendix B. Summary of RACFcommands and authorities . . . . . 725
Summary of commands and their functions . . . 725Summary of Authorities and Commands . . . . 728
The SPECIAL or group-SPECIAL Attribute . . 729The AUDITOR or group-AUDITOR Attribute 730The OPERATIONS or group-OPERATIONSAttribute . . . . . . . . . . . . . . 730The CLAUTH Attribute . . . . . . . . . 730Group Authority . . . . . . . . . . . 731Access Authority . . . . . . . . . . . 732Profile Ownership Authority . . . . . . . 732Other Authorities . . . . . . . . . . . 733
Appendix C. Listings of RACFsupplied certificates . . . . . . . . 735
Appendix D. Security for system datasets . . . . . . . . . . . . . . . 745
Appendix E. Debugging problems inthe RACF database . . . . . . . . . 749Checklist: Resolving Problems When Access IsDenied Unexpectedly. . . . . . . . . . . 749Checklist: Resolving Problems When Access IsAllowed Incorrectly . . . . . . . . . . . 751When Changes to Data Set Profiles Take Effect . . 752Authorization Checking for RACF-ProtectedResources . . . . . . . . . . . . . . 753
When Authorization Checking Takes Place andWhy . . . . . . . . . . . . . . . 753Authorizing Access to RACF-ProtectedResources . . . . . . . . . . . . . 754Pictorial View of RACF Authorization Checking 759Authorizing Access to z/OS UNIX Files andDirectories . . . . . . . . . . . . . 764Authorizing Access to RACF-ProtectedTerminals. . . . . . . . . . . . . . 766Authorizing Access to Consoles, JES InputDevices, APPC Partner LUs, or IP Addresses . . 767Authorization Checking for RACROUTEREQUEST=FASTAUTH Requests . . . . . . 769Authorizing Access to RACF-ProtectedApplications. . . . . . . . . . . . . 770Security Label Authorization Checking . . . . 770Relationships among the SECLABEL class,SETROPTS MLS(FAILURES), SETROPTSMLACTIVE(FAILURES) and SETROPTSMLQUIET . . . . . . . . . . . . . 774
Problems with User ID Authentication . . . . . 775When Logon or Job Initialization ProcessingTakes Place and Why. . . . . . . . . . 775Logon/Job Initialization Processing . . . . . 776
Appendix F. Accessibility . . . . . . 779Using assistive technologies . . . . . . . . 779Keyboard navigation of the user interface . . . . 779z/OS information . . . . . . . . . . . . 779
Notices . . . . . . . . . . . . . . 781Policy for unsupported hardware. . . . . . . 783
Contents xi
-
Trademarks . . . . . . . . . . . . . . 783
Glossary . . . . . . . . . . . . . 785
Index . . . . . . . . . . . . . . . 803
xii z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
Figures1. RACF authorization checking . . . . . . . 42. Sample ISPF panel for RACF. . . . . . . 153. Scope of control of an attribute assigned at the
group level. . . . . . . . . . . . . 174. User and group relationships . . . . . . 455. Group-level authority structure . . . . . . 866. Scope of authority for a group-SPECIAL user 877. Delegating authority (user profiles) . . . . 998. Example of two network LU partners 2459. Reports produced by DSMON . . . . . . 37710. Member UGRP: Users with extraordinary
group authoritiesreport format statements . 39411. Member UGRPCNTL: Users with
extraordinary group authoritiesrecordselection statements . . . . . . . . . 395
12. Report of all users with extraordinary groupauthorities . . . . . . . . . . . . 396
13. Customized record selection criteria . . . . 39814. Customized report format . . . . . . . 39915. Customized report JCL . . . . . . . . 39916. Sample SQL utility statements: Defining a
table space . . . . . . . . . . . . 40117. Sample SQL utility statements: Creating a
table . . . . . . . . . . . . . . 40218. Sample SQL utility statements: Creating
indexes . . . . . . . . . . . . . 40219. DB2 utility statements required to load the
tables . . . . . . . . . . . . . . 40320. DB2 utility statements required to delete the
group records . . . . . . . . . . . 40321. Sample SQL to process revoke and resume
dates . . . . . . . . . . . . . . 40722. A sample SQL query . . . . . . . . . 40823. A sample QMF form . . . . . . . . . 40924. A sample report. . . . . . . . . . . 40925. Using the remove ID utility . . . . . . . 41126. Searching for all residual references . . . . 41427. Searching for specific references . . . . . 41428. Specifying a replacement ID . . . . . . 41529. Running IRRRID00 with an empty SYSIN:
Sample input . . . . . . . . . . . 41630. Running IRRRID00 with an empty SYSIN:
Sample output . . . . . . . . . . . 41731. Running IRRRID00 with data in SYSIN:
Sample input . . . . . . . . . . . 41832. Running IRRRID00 with data in SYSIN:
Sample output . . . . . . . . . . . 41833. Sample output from the IRRRID00 utility 42034. Running IRRRID00 CLIST using TMP:
Sample JCL statements . . . . . . . . 42135. An RRSF network . . . . . . . . . . 42936. Captured Output From a Password
Synchronization Request . . . . . . . . 43237. RACLINK ID(userid) LIST(*.*) Output 434
38. Captured Output from a Directed LISTGRPCommand . . . . . . . . . . . . 437
39. Captured Output from a Directed ADDSDCommand . . . . . . . . . . . . 437
40. Which NODES profiles are used? . . . . . 49141. Example: Simple NJE user translation 49942. Example: Simple NJE user translation using
&SUSER . . . . . . . . . . . . . 50043. Example: Trusted, semitrusted, and untrusted
nodes . . . . . . . . . . . . . . 50144. Example of a simple certificate hierarchy 57045. A high-level view of a secure z/OS
handshake using a public key networkprotocol . . . . . . . . . . . . . 573
46. Controlling access to RACDCERT functions 58247. Output from the RACDCERT LIST command 58448. Output from the RACDCERT LISTRING
command . . . . . . . . . . . . . 58549. Output from the RACDCERT LIST command
with LABEL . . . . . . . . . . . . 58650. Output from the RLIST DIGTCERT command 58751. Output from the SEARCH
CLASS(DIGTCERT) command . . . . . . 58852. Example of an X.500 directory information
tree . . . . . . . . . . . . . . . 59953. Sample RACDCERT MAP command for
creating an issuer's name filter . . . . . . 60054. Sample output from the LISTMAP command
for an issuer's name filter . . . . . . . 60155. Sample RACDCERT MAP commands for
creating subject's name filters . . . . . . 60256. Sample RACDCERT MAP command for
creating a subject's and issuer's name filter. . 60357. Sample RACDCERT MAP commands using a
model certificate . . . . . . . . . . 60658. Sample RACDCERT MAP commands not
using a model certificate . . . . . . . . 60659. Sample RACDCERT MAP command using
the NOTRUST option . . . . . . . . . 60660. Sample RACDCERT MAP and RDEFINE
commands for mapping multiple user IDs . . 60861. Sample output from the LISTMAP command
for a MULTIID filter . . . . . . . . . 60862. Sample RACDCERT MAP and RDEFINE
commands using multiple criteria. . . . . 60963. Sample group and user structure for
delegating help desk authorities . . . . . 69764. Process flow of callers of RACF for
RACROUTE REQUEST=AUTH requests . . 75965. Process flow of SAF router for RACROUTE
REQUEST=AUTH requests . . . . . . . 76066. Process flow of RACF router . . . . . . 76167. Process flow of RACF authorization checking 762
Copyright IBM Corp. 1994, 2011 xiii
-
xiv z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
Tables1. User attributes . . . . . . . . . . . 182. Commands to list profile contents . . . . . 303. Command to search for profile names. . . . 324. Participants of the security implementation
team . . . . . . . . . . . . . . . 385. Checklist for implementation team activities 486. Group authorities . . . . . . . . . . 607. Scope of authority for user attributes at the
group level. . . . . . . . . . . . . 848. Sample profile names for STARTED class
resources . . . . . . . . . . . . . 1579. Sample data set profile names in order from
most specific to least specific (EGN off) . . . 17010. Sample data set profile names in order from
most specific to least specific (EGN on) . . . 17111. Protecting GDG data sets using generic
profiles . . . . . . . . . . . . . 17812. Access authorities for DASD data sets 18113. RACF commands used with general resource
profiles . . . . . . . . . . . . . 20714. Choosing among generic profiles, resource
group profiles, and RACFVARS profiles. . . 21115. Sample general resource profile names in
order from most specific to least specific . . 21416. ALTER, NONE, and CONTROL, UPDATE,
and READ access authorities for generalresources . . . . . . . . . . . . . 216
17. Comparison of GRPACC attribute with&RACGPID.** entry in global access checkingtable . . . . . . . . . . . . . . 222
18. Fields in RACF profile segments thatcorrespond to RACF command operands . . 228
19. Delegating authority in the FACILITY class 23320. RACF classes used to authorize operator
commands . . . . . . . . . . . . 27321. RACF operator command profiles: Naming
conventions . . . . . . . . . . . . 27722. RACF TSO commands entered as operator
commands: Naming conventions . . . . . 27823. Automatic command direction: Resource
names . . . . . . . . . . . . . . 28224. KEYSMSTR class profiles . . . . . . . 29825. Processing options controlled simultaneously
for classes sharing a POSIT value . . . . . 30626. ICHERCDE macro operands and the
corresponding operands for the RDEFINEand RALTER commands . . . . . . . . 317
27. Correlation of record type, record name, andDB2 table name . . . . . . . . . . . 404
28. Return codes for the remove ID utility(IRRRID00) . . . . . . . . . . . . 415
29. RRSFDATA resources to control propagationof certificate information . . . . . . . . 457
30. NODES class operands and the UACCmeaning for inbound jobs . . . . . . . 493
31. NODES class operands, UACC, and SYSOUTownership when node is not defined to&RACLNDE . . . . . . . . . . . . 497
32. TSO command usage when RACF protectionis enabled. . . . . . . . . . . . . 534
33. The UNIXMAP class and VLF: Effects onperformance for installations that have notreached stage 3 of application identitymapping . . . . . . . . . . . . . 554
34. Subject's and issuer's distinguished names 59835. Summary of access authorities required for
PKI Services requests . . . . . . . . . 63736. LDAP event notification of RACF profile
changes . . . . . . . . . . . . . 64337. Resource classes for z/OS systems . . . . 71538. Resource classes for z/VM systems . . . . 72339. Functions of RACF commands . . . . . . 72540. Commands and operands you can issue if
you have the SPECIAL or group-SPECIALattribute . . . . . . . . . . . . . 729
41. Commands and operands you can issue ifyou have the AUDITOR or group-AUDITORattribute . . . . . . . . . . . . . 730
42. Commands and operands you can issue ifyou have the OPERATIONS orgroup-OPERATIONS attribute . . . . . . 730
43. Commands and operands you can issue ifyou have the CLAUTH attribute . . . . . 730
44. Commands and operands you can issue ifyou have a group authority . . . . . . . 731
45. Commands and operands you can issue ifyou have an access authority . . . . . . 732
46. Commands and operands you can issue ifyou own a profile . . . . . . . . . . 732
47. Commands and operands you can issue formiscellaneous reasons. . . . . . . . . 733
48. UACC values for system data sets . . . . 74549. Required relationship between security levels
for each MAC checking type . . . . . . 77150. Security label authorization checking when
SECLABEL class is active and eitherSETROPTS MLS(FAILURES) orMLS(WARNING) is in effect . . . . . . 772
51. Security label authorization checking whenSECLABEL class is active and eitherSETROPTS NOMLS is in effect or the user isin "writedown" mode.. . . . . . . . . 773
52. Effects of MLACTIVE settings on securitylabel authorization . . . . . . . . . . 774
53. Relationships among the SECLABEL class,SETROPTS MLS(FAILURES), SETROPTSMLACTIVE(FAILURES), and SETROPTSMLQUIET . . . . . . . . . . . . 774
54. Resource classes checked for logon and jobinitialization requests . . . . . . . . . 777
Copyright IBM Corp. 1994, 2011 xv
-
xvi z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
About this documentThis document supports z/OS (5694-A01) and contains information about ResourceAccess Control Facility (RACF), which is part of z/OS Security Server. Thisdocument provides information to help the security administrator plan for andadminister the RACF component of z/OS Security Server.
Who should use this documentSecurity administrators, group administrators, and other administrators who areresponsible for system data security and integrity on a z/OS system should usethis document for such tasks as:v Planning how to use RACF to increase the security of the systemv Deciding which resources to protectv Performing administration tasksv Coordinating with administrators of other products
Readers should be familiar with RACF concepts and terminology. The readers ofthis document should also be familiar with z/OS systems.
RACF overview information can be obtained from the RACF home page:http://www.ibm.com/servers/eserver/zseries/zos/racf/
How to use this documentMuch of this document describes how to protect resources, such as data sets,terminals, and others. In general, you first need to define users to RACF and setsome RACF options. Then, depending on your security plan, you select classes ofresources to protect and create resource profiles for them.
If you are reading this document for the first time, consider reading the followingparts first:v Chapter 1, Introduction, on page 1v Chapter 2, Organizing for RACF Implementation, on page 37v Chapter 3, Defining Groups and Users, on page 51v Defining Profiles for General Resources on page 207v Setting Up the Global Access Checking Table on page 218v Getting Started with RACF (after First Installing RACF) on page 371v Appropriate portions of Chapter 5, Specifying RACF Options, on page 113
Where to find more informationWhere necessary, this document references information in other documents. Forcomplete titles and order numbers for all elements of z/OS, see z/OS InformationRoadmap.
Softcopy documentsThe RACF library is available on the following DVD softcopy collection in bothBookManager and Portable Document Format (PDF) files. The collection includes
Copyright IBM Corp. 1994, 2011 xvii
-
Softcopy Reader, which is a program that enables you to view the BookManagerfiles. You can view or print the PDF files with an Adobe Reader.
SK3T-4271 z/OS Version 1 Release 13 and Software Products DVD Collection
This collection contains the documents for z/OS Version 1 Release13 and the libraries for multiple releases of more than 400z/OS-related software products, on DVDs.
The following CD softcopy collection includes books related to RACF:
SK3T-7876 IBM System z Redbooks Collection
This softcopy collection contains a set of documents called IBM
Redbooks that pertain to System z subject areas ranging frome-business application development and enablement to hardware,networking, Linux, solutions, security, Parallel Sysplex and manyothers.
RACF coursesThe following RACF classroom courses are available in the United States:
H3917 Basics of z/OS RACF Administration
H3927 Effective RACF Administration
ES885 Exploiting the Advanced Features of RACF
ES840 Implementing RACF Security for CICS
IBM provides a variety of educational offerings for RACF. For more informationabout classroom courses and other offerings, do any of the following:v See your IBM representativev Call 1-800-IBM-TEACh (1-800-426-8322)
IBM systems center publicationsIBM systems centers produce documents known as IBM Redbooks that can helpyou set up and use RACF. These documents have not been subjected to any formalreview nor have they been checked for technical accuracy, but they representcurrent product understanding (at the time of their publication) and providevaluable information on a wide range of RACF topics. They are not shipped withRACF; you must order them separately. A selected list of these documents follows.Other documents are available, but they are not included in this list, either becausethe information they present has been incorporated into IBM product manuals orbecause their technical content is outdated.
GG24-4282 Secured Single Signon in a Client/Server EnvironmentGG24-4453 Enhanced Auditing Using the RACF SMF Data Unload UtilityGG26-2005 RACF Support for Open Systems Technical Presentation GuideSG24-4820 OS/390 Security Server Audit Tool and Report ApplicationSG24-5158 Ready for e-business: OS/390 Security Server EnhancementsSG24-6840 Communications Server for z/OS V1R2 TCP/IP Implementation Guide Volume 7:
Security
Preface
xviii z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
Other sources of informationIBM provides customer-accessible discussion areas where RACF may be discussedby customer and IBM participants. Other information is also available through theInternet.
Internet sourcesThe following resources are available through the Internet to provide additionalinformation about the RACF library and other security-related topics:v Online libraryTo view and print online versions of the z/OS publications, use this address:http://www.ibm.com/systems/z/os/zos/bkserv/
v RedbooksThe documents known as IBM Redbooks that are produced by the InternationalTechnical Support Organization (ITSO) are available at the following address:http://www.redbooks.ibm.com
v Enterprise systems securityFor more information about security on the S/390 platform, OS/390, andz/OS, including the elements that comprise the Security Server, use this address:http://www.ibm.com/systems/z/advantages/security/
v RACF home pageYou can visit the RACF home page on the World Wide Web using this address:http://www.ibm.com/systems/z/os/zos/features/racf/
v RACF-L discussion listCustomers and IBM participants may also discuss RACF on the RACF-Ldiscussion list. RACF-L is not operated or sponsored by IBM; it is run by theUniversity of Georgia.To subscribe to the RACF-L discussion and receive postings, send a note to:[email protected]
Include the following line in the body of the note, substituting your first nameand last name as indicated:subscribe racf-l first_name last_name
To post a question or response to RACF-L, send a note, including an appropriateSubject: line, to:[email protected]
v Sample codeYou can get sample code, internally-developed tools, and exits to help you useRACF. This code works in our environment, at the time we make it available,but is not officially supported. Each tool or sample has a README file thatdescribes the tool or sample and any restrictions on its use.To access this code from a Web browser, go to the RACF home page and selectthe Resources file tab, then select Downloads from the list, or go tohttp://www-03.ibm.com/systems/z/os/zos/features/racf/goodies.html.The code is also available from ftp.software.ibm.com through anonymous FTP.To get access:1. Log in as user anonymous.2. Change the directory, as follows, to find the subdirectories that contain the
sample code or tool you want to download:cd eserver/zseries/zos/racf/
Preface
About this document xix
-
An announcement will be posted on the RACF-L discussion list wheneversomething is added.
Note: Some Web browsers and some FTP clients (especially those using agraphical interface) might have problems using ftp.software.ibm.combecause of inconsistencies in the way they implement the FTP protocols. Ifyou have problems, you can try the following: Try to get access by using a Web browser and the links from the RACF
home page. Use a different FTP client. If necessary, use a client that is based on
command line interfaces instead of graphical interfaces. If your FTP client has configuration parameters for the type of remote
system, configure it as UNIX instead of MVS.
RestrictionsBecause the sample code and tools are not officially supported, There are no guaranteed enhancements. No APARs can be accepted.
The z/OS Basic Skills Information CenterThe z/OS Basic Skills Information Center is a Web-based information resourceintended to help users learn the basic concepts of z/OS, the operating system thatruns most of the IBM mainframe computers in use today. The Information Centeris designed to introduce a new generation of Information Technology professionalsto basic concepts and help them prepare for a career as a z/OS professional, suchas a z/OS system programmer.
Specifically, the z/OS Basic Skills Information Center is intended to achieve thefollowing objectives:v Provide basic education and information about z/OS without chargev Shorten the time it takes for people to become productive on the mainframev Make it easier for new people to learn z/OS.
To access the z/OS Basic Skills Information Center, open your Web browser to thefollowing Web site, which is available to all users (no login required):http://publib.boulder.ibm.com/infocenter/zos/basics/index.jsp
To request copies of IBM publicationsDirect your request for copies of any IBM publication to your IBM representativeor to the IBM branch office serving your locality.
There is also a toll-free customer support number (1-800-879-2755) availableMonday through Friday from 8:30 a.m. through 5:00 p.m. Eastern Time. You canuse this number to:v Order or inquire about IBM publicationsv Resolve any software manufacturing or delivery concernsv Activate the program reorder form to provide faster and more convenientordering of software updates
Preface
xx z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
How to send your comments to IBMWe appreciate your input on this publication. Feel free to comment on the clarity,accuracy, and completeness of the information or give us any other feedback thatyou might have.
Use one of the following methods to send us your comments:1. Send an email to [email protected]. Visit the Contact z/OS web page at http://www.ibm.com/systems/z/os/zos/
webqs.html3. Mail the comments to the following address:
IBM CorporationAttention: MHVRCFS Reader CommentsDepartment H6MA, Building 7072455 South RoadPoughkeepsie, NY 12601-5400U.S.A.
4. Fax the comments to us as follows:From the United States and Canada: 1+845+432-9405From all other countries: Your international access code +1+845+432-9405
Include the following information:v Your name and addressv Your email addressv Your telephone or fax numberv The publication title and order number:
z/OS V1R13.0 Security Server RACF Security Administrator's GuideSA22-7683-15
v The topic and page number related to your commentv The text of your comment.When you send comments to IBM, you grant IBM a nonexclusive right to use ordistribute your comments in any way it believes appropriate without incurring anyobligation to you.
IBM or any other organizations will only use the personal information that yousupply to contact you about the issues that you submit.
If you have a technical problemDo not use the feedback methods listed above. Instead, do one of the following:v Contact your IBM service representativev Call IBM technical supportv Visit the IBM support portal at http://www.ibm.com/systems/z/support/
Copyright IBM Corp. 1994, 2011 xxi
-
xxii z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
Summary of changesThis document contains terminology, maintenance, and editorial changes. Technicalchanges or additions to the text and illustrations are indicated by a vertical line tothe left of the change.
You might notice changes in the style and structure of some content in thisdocumentfor example, headings that use uppercase for the first letter of initialwords only, and procedures that have a different look and format. The changes areongoing improvements to the consistency and retrievability of information in ourdocuments.
Changes made in z/OS Version 1 Release 13, SA22-7683-15This document contains information previously presented in z/OS Security ServerRACF Security Administrator's Guide, SA22-7683-14, which supports z/OS Version 1Release 12.
New information:
v Establishing RACF security for RRSF TCP/IP connections on page 459
Changed information:
v Determining PTKTDATA Profile Names on page 254 is updated in support ofAPAR OA29784.
v The following topics are updated in support of the new PKDS options of theRACDCERT command: Chapter 10, Program signing and verification, on page 351 Chapter 13, The RACF remote sharing facility (RRSF), on page 427 Chapter 18, RACF and digital certificates, on page 567
v Chapter 13, The RACF remote sharing facility (RRSF), on page 427 is updatedto support TCP/IP as a network protocol for RACF remote sharing facility(RRSF).
v Chapter 24, Distributed identity filters, on page 701 is updated to includeinformation about the new QUERY function of the RACMAP command:
v Appendix A, Supplied RACF resource classes, on page 715 is updated withinformation about the following new classes: GZMFAPLA LDAP VMDEV ZMFAPLA
v Appendix C, Listings of RACF supplied certificates, on page 735 is updated toinclude information about new supplied certificates.
v Support is added for the following APARs: OA29784 OA34629
v Based on a reader's comment, the example in Step 4 of Steps for automaticallyassigning unique IDs through UNIX services on page 546 is revised.
Copyright IBM Corp. 1994, 2011 xxiii
-
Deleted information:
v The information presented in the chapter previously entitled RACF and DCEis removed from this document.Beginning in z/OS Version 1 Release 13, z/OS Distributed ComputingEnvironment (DCE) and Distributed Computing Environment Security Server(DCE Security Server) are no longer available.
Changes made in z/OS Version 1 Release 12, SA22-7683-14This document contains information previously presented in z/OS Security ServerRACF Security Administrator's Guide, SA22-7683-13, which supports z/OS Version 1Release 11.
New information:
v Administering the RACFVARS member list on page 240v Creating a RACFVARS member report on page 399v DIGTCERT profile names on page 591v Disabling LDAP change notification on page 646
Changed information:
v Activating Generic Profile Checking and Generic Command Processing onpage 123 is updated to include information about the NOGENERIC option ofthe RDELETE command and the UNUSABLE indicator in the output of theRLIST and SEARCH commands for certain general resource profiles.
v Field-level access checking on page 225 is updated to support a new field inthe ICSF segment of certain general resource profiles.
v How RACF uses the RACFVARS member list on page 240 is updated tosupport APAR OA30567.
v Steps for verifying a signed program on page 366 is updated with additionalplanning information.
v Size considerations for public and private keys on page 578 is updated toinclude information about the BPECC and NISTECC key types in support of theelliptic curve cryptography (ECC) algorithm for generating keys for digitalcertificates.
v The following topics are updated to support enhancements to the KERBLINKclass: RRSF Considerations for z/OS Network Authentication Service on page 459 Supplied resource classes for z/OS systems on page 715
v Appendix A, Supplied RACF resource classes, on page 715 includes anupdated description for the KERBLINK class.
Deleted information:
v The information presented in the chapter previously entitled RACF andInformation Management System (IMS) is removed from this document. Theinformation is now presented in the following IMS publications: IMS Version 10 System Administration Guide (SC18-9718) IMS Version 11 System Administration Guide (SC19-2443)
The "Readers' Comments - We'd Like to Hear from You" section at the back of thispublication has been replaced with a new section How to send your comments toIBM on page xxi. The hardcopy mail-in form has been replaced with a page thatprovides information appropriate for submitting readers comments to IBM.
Preface
xxiv z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
Changes made in z/OS Version 1 Release 11, SA22-7683-13This document contains information previously presented in z/OS Security ServerRACF Security Administrator's Guide, SA22-7683-12, which supports z/OS Version 1Release 10.
New information:
v Using restricted user IDs for distributed identity users on page 92v Reducing application logon statistics on page 126v Chapter 10, Program signing and verification, on page 351v IRRRID00 return codes on page 415v RRSF considerations for distributed identity filters on page 457v Automatically assigning unique IDs through UNIX services on page 545v Special RRSF considerations for automatic unique IDs on page 550v Chapter 24, Distributed identity filters, on page 701
Changed information:
v The following topics are updated to describe automatic assignment of uniqueUIDs and GIDs through z/OS UNIX services: Controlling the use of shared UNIX identities on page 541 Enabling automatic assignment of unique UNIX identities on page 543 Enabling default OMVS segments processing on page 550
v The following topics are updated to support distributed identity filters and thenew RACMAP command: Summary of Steps for Deleting Users on page 96 Using the Database Unload Utility Output with DB2 on page 400 Using the RACF remove ID (IRRRID00) utility on page 410 Preparing to Use Automatic Direction on page 441 Using Automatic Direction of Application Updates on page 454
v Field-level access checking on page 225 is updated to support new commandoperands and new fields in RACF profiles.
v RACF and ICSF on page 292 is updated to support the new ICSF segment.v DB2 table names on page 403 is updated to support new output records fromthe database unload (IRRDBU00) utility.
v LDAP event notification on page 642 is updated to describe LDAP changelogging for general resources.
v Appendix A, Supplied RACF resource classes, on page 715 includes newclasses.
v Appendix B, Summary of RACF commands and authorities, on page 725includes information about the functions and authorities related to the newRACMAP command.
v Appendix C, Listings of RACF supplied certificates, on page 735 includesinformation about a new IBM certificate that is supplied to support programverification for the modules of z/OS Cryptographic Services System SSL.
v Support for the following APARs is added: OA26109 OA26110 OA26302 OA26468
Preface
Summary of changes xxv
-
v The following topics were added or updated based on comments from readers: Special Considerations for Global Access Checking on page 223 Defining RACF Variables on page 238 IRRRID00 utility: Running the output CLIST as a batch job on page 420 Translating Security Information on page 498 Examples of deleting digital certificates on page 590 RACF and key rings on page 593
Moved information:
v The information presented in the chapter previously entitled Configuring z/OSto participate in an EIM domain is removed from this document. Theinformation is now presented in z/OS Integrated Security Services EIM Guide andReference.
Preface
xxvi z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
Chapter 1. IntroductionHow RACF Meets Security Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
User Identification and Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Authorization Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4User Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
RACF Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6RACF Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6What RACF Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6How Users and Groups Are Authorized to Access Resources . . . . . . . . . . . . . . . . . 7RACF Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9RACF Transparency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Implementing Multilevel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Multilevel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Characteristics of a Multilevel-Secure Environment . . . . . . . . . . . . . . . . . . . . . 11
Mandatory Access Control (MAC) . . . . . . . . . . . . . . . . . . . . . . . . . . 11Security Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Discretionary Access Control (DAC) . . . . . . . . . . . . . . . . . . . . . . . . . 11Resource Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Identification and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 12Auditability of Security-Related Events . . . . . . . . . . . . . . . . . . . . . . . . 12
Administering Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Delegating Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Administering Security When a z/VM System Shares the RACF Database . . . . . . . . . . . . . 13Using RACF Commands or Panels . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Choosing between using RACF TSO commands and ISPF panels . . . . . . . . . . . . . . . 14RACF Group and User Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Defining Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Assigning Optional User Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 17Assigning Group Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Profiles Associated with Users and Groups . . . . . . . . . . . . . . . . . . . . . . . 19
Protecting Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Protecting Data Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Protecting General Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Installation-Defined Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Authority to Create Resource Profiles. . . . . . . . . . . . . . . . . . . . . . . . . 22Authority to Modify or Delete Resource Profiles . . . . . . . . . . . . . . . . . . . . . 22Owners of Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Setting Up the Global Access Checking Table . . . . . . . . . . . . . . . . . . . . . . 23
Security Classification of Users and Data . . . . . . . . . . . . . . . . . . . . . . . . 24Selecting RACF Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Using RACF Installation Exits to Customize RACF . . . . . . . . . . . . . . . . . . . . . . 24The RACROUTE REQUEST=VERIFY, VERIFYX, AUTH, and DEFINE exits . . . . . . . . . . . . . 24The RACROUTE REQUEST=LIST exits . . . . . . . . . . . . . . . . . . . . . . . . . 25The RACROUTE REQUEST=FASTAUTH exits. . . . . . . . . . . . . . . . . . . . . . . 25The RACF command exits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25The RACF password processing exits . . . . . . . . . . . . . . . . . . . . . . . . . . 25The RACF password authentication exits . . . . . . . . . . . . . . . . . . . . . . . . 26
Tools for the Security Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Using RACF utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
RACF database initialization utility (IRRMIN00) . . . . . . . . . . . . . . . . . . . . . 26RACF database split/merge/extend utility (IRRUT400) . . . . . . . . . . . . . . . . . . . 26RACF database unload utility (IRRDBU00) . . . . . . . . . . . . . . . . . . . . . . . 27RACF database verification utility (IRRUT200). . . . . . . . . . . . . . . . . . . . . . 27RACF cross-reference utility (IRRUT100). . . . . . . . . . . . . . . . . . . . . . . . 27
Copyright IBM Corp. 1994, 2011 1
-
RACF remove ID utility (IRRRID00) . . . . . . . . . . . . . . . . . . . . . . . . . 27RACF SMF data unload utility (IRRADU00) . . . . . . . . . . . . . . . . . . . . . . 28
RACF block update command (BLKUPD) . . . . . . . . . . . . . . . . . . . . . . . . 28Using the RACF report writer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Using the data security monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Recording statistics in RACF profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 29Listing information from RACF profiles . . . . . . . . . . . . . . . . . . . . . . . . . 29Searching for RACF profile names . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Using the LIST and SEARCH commands effectively . . . . . . . . . . . . . . . . . . . . . 32
This topic introduces you to using RACF to administer security on your system.
Over the past several years, it has become much easier to create and accesscomputerized information. No longer is system access limited to a handful ofhighly skilled programmers; information can now be created and accessed byalmost anyone who takes a little time to become familiar with the newer,easier-to-use, high-level inquiry languages. As a result of this improved ease ofuse, the number of people using computer systems has increased dramatically.More and more people are becoming increasingly dependent on computer systemsand the information they store in these systems.
As the general computer literacy and the number of people using computers hasincreased, the need for data security has taken on a new level of importance. Nolonger can the installation depend on keeping data secure simply because no oneknows how to access the data. Further, making data secure does not mean justmaking confidential information inaccessible to those who should not see it; itmeans preventing the inadvertent destruction of files by people who might noteven know that they are improperly manipulating data.
As the security administrator, it is your job to ensure that your installation's data isproperly protected. RACF can help you do this.
How RACF Meets Security NeedsThe RACF licensed program satisfies the preferences of the end user withoutcompromising any of the concerns raised by security personnel. The RACFapproach to data security is to provide an access control mechanism that:U Offers effective user verification, resource authorization, and loggingcapabilitiesU Supports the concept of user accountabilityU Is flexibleU Has little noticeable effect on the majority of end users, and little or noimpact on an installation's current operationU Is easy to install and maintain
User Identification and VerificationRACF controls access to and protects resources. For a software access controlmechanism to work effectively, it must first identify the person who is trying togain access to the system, and then verify that the user is really that person.
RACF uses a user ID and a system-encrypted password or password phrase toperform its user identification and verification. When you define a user to RACF,you assign a user ID and temporary password. The user ID identifies the person tothe system as a RACF user. The password or password phrase verifies the user'sidentity.
Introduction
2 z/OS V1R13.0 Security Server RACF Security Administrator's Guide
-
The temporary password permits initial entry to the system, at which time theperson is required to choose a new password. Unless the user divulges it, no oneelse knows the user ID-password combination.
During terminal processing, RACF allows the use of an operator identification card(OIDCARD) in place of, or in addition to, the password or password phrase. (TheOIDCARD information is also encrypted.) By requiring a user to know both thecorrect password and the correct OIDCARD, you have increased assurance that theproper user has entered the user ID.
The secured signon function provides an alternative to the RACF password calleda PassTicket, which allows workstations and client machines to communicate witha host without using a RACF password or password phrase. Using this functioncan enhance security across a network. For more information, see Using theSecured Signon Function on page 252.
Authorization CheckingHaving identified a valid user, the software access control mechanism must nextcontrol interaction between the user and the system resources. It must authorizenot only what resources that user can access, but also in what way the user canaccess them, such as for reading only, or for updating as well as reading. Thiscontrolled interaction, or authorization checking, is shown in Figure 1 on page 4.Before this activity can take place, however, someone with the proper authority atthe installation must establish the constraints that govern those interactions.
With RACF, you are responsible for protecting the system resources (data sets, tapeand DASD volumes, IMS and CICS transactions, TSO logon information, andterminals) and for issuing the authorities by which those resources are madeavailable to users. RACF records your assignments in profiles stored in the RACFdatabase. RACF then refers to the information in the profiles to decide if a usershould be permitted to access a system resource.
Introduction
Chapter 1. Introduction 3
-
Logging and ReportingThe ability to log information, such as attempted accesses to a resource, and togenerate reports containing that information can prove useful to a resource owner,and is very important to a smoothly functioning security system.
Because RACF can identify and verify a user's user ID and recognize whichresources the user can access, RACF can record the events where user-resourceinteraction has been attempted. This function records actual access activities orvariances from the expected use of the system.
RACF has a number of logging and reporting functions that allow a resourceowner to identify users who attempt to access the resource. In addition, you andyour auditor can use these functions to log all detected successful and unsuccessfulattempts to access the RACF database and RACF-protected resources. Logging allaccess attempts allows you to detect possible security exposures or threats. Thelogging and reporting functions are:v Logging: RACF writes records to the system management facility (SMF) fordetected, unauthorized attempts to enter the system. Optionally, RACF writesrecords to SMF for authorized attempts and detected, unauthorized attempts to: Access RACF-protected resources Issue RACF commands Modify profiles on the RACF databaseRACF writes these records to an SMF data set. To list SMF records, you can useeither the RACF SMF data unload utility (IRRADU00) or the RACF reportwriter.
(1)
(7)
(2)
(6)
(3)
(5)
(4)
RACF
(1) User requests access to a resource using aresource mana