RACF Users' News # 58

Dec., 2001 Newsletter

Issue No. 58

RACF (part of OS/390 Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.

Great New Web Site for RACF Info

Try http://www.ibm.com/servers/eserver/zseries/zos/racf  . You'll see that IBM is revising the way they organize their websites, based on the different eservers, including zseries.

New Free Email Newsletter for Mainframe Auditors

To learn more about the Mainframe Audit News (MA News), check Stu's website at: http://www.stuhenderson.com 

To Get a Free Subscription to this Newsletter

Phone Stu at (301) 229-7187 with your request, leaving your name, postal address, and phone. For back issues and articles on topics like the SERVAUTH resource class, check his website: www.stuhenderson.com.

NEW YORK RUG Meeting Dates

Tuesday, October 23, 2001 from 1 to 5PM. Mark your calendars now. See inside for details. The meeting after that will be in January, probably on a Tuesday from 1 to 5PM.


We will not meet in October. Our next meeting will be in January, likely on a Monday from 1 to 5PM. Mark your calendars now. See inside for details.

More Great Websites for RACF:

Thierry Falissard's RACF page is http://os390-mvs.hypermart.net/securyp.htm  Nigel Pentland's security page is http://www.nigelpentland.co.uk 

OS/390 Equivalence to z/OS

IBM manuals indicate that "RACF for z/OS Version 1 Release 1 is functionally equivalent to RACF for OS/390 Version 2 Release 10." If you are on RACF 2.10, you need make no RACF changes for z/OS RACF 1.1. An easy way to convert from one number system to the other is to "subtract 32, then multiply by 5/9."

Correction to Correction on TSOAUTH Class

Last issue we published a correction to an earlier comment on the TSOAUTH class. We were mistaken. To clarify, we quote here from an IBM Manual [TSO Administration, SA22-7780]: "(the Recover authority) specifies whether the user can issue the RECOVER parameter on the EDIT command." We apologize for the confusion. And thanks again, Walt.

Yet Another Correction

The website we listed last issue for IBM presentations was incorrect. The correct URL is: http://www- 1.ibm.com/servers/eserver/zseries/zos/racf/goodies.html . (Perhaps we should make "Corrections" be a regular column in this newsletter.)

Resource Rules and Generics

In many ways RACF dataset rules and resource rules are very similar. The commands to administer them are also very similar. Some users have tripped over an assumption that you can avoid. The RACF command keyword GENERIC applies only to dataset rules, not to resource rules. The commands to administer resources do not accept the keyword GENERIC. The only way to make a resource rule be generic is to use an asterisk or percent sign in its name.

New TCP/IP Security Features with z/OS Release 2

The new release will support Intrusion Detection for TCP/IP. This software will be included in TCP/IP, and can detect and protect against several different types of attack on your system.

z/OS will also support TLS (Transport Layer Security), which is the follow-on to SSL (Secure Sockets Layer).

This will increase the number of MVS systems which are connected to the Internet. Many installations connect their mainframes to the Internet because the mainframe is where the master customer file lives, and only a mainframe (as opposed to a smaller UNIX or NT box) can handle the volume of transactions that makes a sales manager smile.

Now with all the publicity about Denial of Service Attacks and hacking of websites, your executive management is going to be hearing the message that the mainframe is more secure than other platforms for e-business on the Internet because of its greater processing power and the built-in security features with z/OS. In our opinion, you deserve a raise because of the great increase in technical knowledge this will require of you.

The next article will help you add to your knowledge base.

How to Secure a TCP/IP Port

You will recall that an IP address on the Internet (for example, identifies a distinct computer, perhaps your MVS LPAR or CPU. Within that, a TCP/IP port is a number which identifies an application (for example, ports 20 and 21 are often used for FTP [File Transfer Protocol]). As you start to take responsibility for securing Internet connections with RACF, you will use the SERVAUTH resource class. One of its functions is to control who can use a specified TCP/IP port.

You would use this to prevent a programmer from writing his own programs which use a given port, then executing those programs to "hijack" the port. (For example, such a program might otherwise take over the e-mail port, browse all e-mail, and then pass it on to the real e-mail server.) READ access is sufficient.

SERVAUTH rules for this function have names like:

RDEF SERVAUTH EZB.PORTACCESS.sysname.tcpname.portname UACC(..) ...

where sysname is the name of the MVS system (&SYSNAME as specified by the MVS system programmer, see following article on system symbols) and tcpname is the name of the TCP/IP started task and portname is the RACF name for the port, as specified in the SAF operand of the PORT or PORTRANGE statement in PROFILE.TCPIP (the control file for TCP/IP).

You control this by taking two steps:

  1. Learn what ports have been defined to TCP/IP and get agreement on which ones need to be controlled by RACF. Get agreement on the portname to be used for each port. Define SERVAUTH rules in RACF with appropriate permissions and activate the class.

  2. Ask whoever maintains the TCP/IP control file (PROFILE.TCPIP) in your organization to add the SAF operand to tell TCP/IP to call RACF for those ports, specifying the agreed-upon portname for each port.

For more info on SERVAUTH, see the article on Stu's website at: www.stuhenderson.com.

Interesting Products

We haven't evaluated these, but every RACFer should know of them.

Defining System Symbols to RACF

MVS has a new feature which allows your system programmer to define system symbols, which can be substituted into JCL and into SYS1.PARMLIB definitions. For example, the symbol &SYSNAME is often defined to be the name of the system (one per LPAR or CPU). On your System A, it might be given the value SYSTEM0A, and on your System B the value SYSTEM0B. Now the system programmer can use one set of JCL, specifying &SYSNAME. MVS will substitute the value SYSTEM0A, SYSTEM0B, or whatever to replace it. This lets the sysprog use one set of JCL for several systems.

Another common system symbol is &SYSCLONE which is often set to be equal to the last two characters of &SYSNAME. In our example, it would be set equal to 0A or 0B, depending on which system was being used.

You will recognize the concept if you have seen it in catalogued procedures, macros, and CLISTs, where substitution symbols are defined having names beginning with an ampersand. You probably also recognize it as the same concept used in RACF with the RACFVARS resource class. This is the class where you define a symbol and assign possible substitution values to it.

You should consider defining rules in the RACFVARS resource class which match at least some of the system symbols defined by your system programmer. For example, to define &SYSNAME as a substitution value in RACF, with possible values of SYSTEM0A and SYSTEM0B, you could issue;



One way this can be useful is with the SERVAUTH resource class described in the article above on securing TCP/IP ports. Rules in the SERVAUTH resource class often include the name of the system as part of the name of the rule. You could use an asterisk to match any system name, or you might want to use the &SYSNAME you have defined in the RACFVARS resource class.

Lower Case Userids Beginning with irr-

You may have noticed some userids automatically defined to RACF whose names are lower case, starting with "irr". You may and should ignore these. They are for digital certificates. You should not issue any commands trying to administer them or delete them. Just let them be, and RACF will take care of them for you.

Fifteen Minute Project to Improve Your RACF

We often hear of installations that need to synchronize their RACF implementations in a hurry, either because they are starting to use RRSF, or because the are merging RACF databases. Much of this work is trivial if you aren't doing it under a rush deadline. You can save yourself future grief by starting these steps now at a leisurely pace, so that they will be complete before you need them:

  1. If you have more than one CPU or LPAR running RACF, ask your system programmer to coordinate the Class Descriptor Table entries and SAF Router Table entries, so that every resource class defined on any RACF system is defined exactly the same way on all RACF systems. Make sure the value of POSIT is coordinated across all systems. Try to make sure that all installation-defined resource classes have names including special characters (like a dollar sign) to make sure that IBM won't accidently use a name in the future that you are already using. Tell your sysprog that this is not a crucial update; it can be done at his or her leisure, but it would be nice to have it happen in the next year. This is much easier to do if the sysprog can include it with other updates at a convenient time.

  2. If you have more than one RACF database, start a project to synchronize all the SETR LIST options. Do a SETR LIST for each system. Note any difference in settings. Where there are differences, decide which approach is better and start working toward changing all systems gradually to the better approach.

  3. If you have more than one CPU or LPAR running RACF, if there are any RACF exits (see the DSMON RACF EXITS report), request your system programmer to start coordinating the exits, so the same version is on every system. Or better yet, try to eliminate RACF exits if you can.

NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS

NYRUG: At Our Next Meeting

Our next meeting will be hosted by Access360, makers of enRole (see Interesting Products above.) Access360 is also providing a free, pre-meeting lunch and product demo. The product demo preceeds and is completely separate from our regular meeting. Access360 will also host a drawing for a valuable prize. We'll have speakers from IBM (including the famous Mark Nelson) on RACF Past Present and Future, and also a talk on RACF Trends and Directions. As always, we will have a question and answer session with some of the keenest RACF minds in the State to answer questions. Please email if you will be at the lunch so we can have enough food to: DGoldman@access360.com. Please put "Free Lunch" as the subject.

Time: Tuesday, October 23, 2001. The lunch and product presentation will begin at noon. The regular meeting starts at 1PM until it's too late to go back to the office.


Access360 at 1120 6th Ave., 4th Floor, between 43rd and 44th Sts.


BWRUG (Baltimore/Washington RUG):

The BWRUG will not meet this quarter. Our next meeting will be in January, probably on a Monday from 1-5PM. See you then.

Permanently Interesting Products Column

We have not evaluated these, but think every RACF shop should know about them.

HG How to Audit Training Schedule:

         The Henderson Group now offers its series of "How to Audit.." 
seminars for IT auditors. These describe clearly how the associated software 
works, where the control points are, how to collect and interpret data, and 
how to conduct the audit.  The workbooks include complete audit programs.  If 
you have a class you would like to have added to this series, please let us 
know. These classes will be held in 2002: 

  A)     HG70 How to Audit Cross-Platform Applications ($820)  
                  Feb. 27-28,      2002 in Clearwater, FL 

  B)     HG71 How to Audit Mainframe/Internet Connections ($820)  
                  May (TBD),       2002 in Atlanta, GA 

  C)     HG72 How to TCP/IP ($410)  
                  Sept. 13,        2002 in Bethesda, MD  (near Washington, DC)

  D)     HG73 How to Audit CICS ($410)  
                  May (TBD),       2002 in Atlanta, GA 

  E)     HG74 How to Audit RACF ($820)  
                  Sept. 5-6,       2002 in Bethesda, MD (near Washington, DC) 

  F)     HG75 How to Audit MVS ($410)  
                  March 1,         2002 in Clearwater, FL 

HG RACF and Security Training Schedule:

         The Henderson Group offers its RACF and computer security/audit 
seminars around the country and on-site too.  See the details below or call 
(301) 229-7187 for a free seminar catalog.  For more info or to see what 
students say about these classes, please go to www.stuhenderson.com . (See info on 
"How to Audit ..." classes above.) 

  1)     HG04 Effective RACF Administration    ($1795)  (In 2001, this class 
         will shift to four days, still covering the same material, and at 
         the same price.)
                  Sept.10-14,      2001 in New York City 
                  Nov. 5-9,        2001 in Clearwater, FL
                  Feb. 19-22,      2002 in Clearwater, FL

  2)     HG05 Advanced RACF Administration  ($1185; In 2001, this class will 
         expand to four days, with a price increase to $1790.) 
                  Oct. 17-19,      2001 in Atlanta, GA   
                  March 11-14,     2002 in Clearwater, FL

  3)     HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) 
         (covers CICS, VTAM, DB2, and JES security along with MVS security, 
         SAF, and OS/390)  ($1190)                  
                  Sept. 5-7,       2001 in New York City 
                  Dec.  11-13      2002 in Clearwater, FL 

RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)

RACF List Server on the Internet

To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:

subscribe racf-l john smith

to the address: listserv@listserv.uga.edu

The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.

The RACF User News is published three times a year (December, March, and September) to share information about RACF. All information in it is offered on an "as is" basis, and should be used at your own risk, and with your own testing.

For Back Issues of this Newsletter and Links to Several Useful Web Sites check the Henderson Group website at: www.stuhenderson.com

Other Internet places:

Stuart Henderson
(301) 229-7187
5702 Newington Road Bethesda, MD 20816-1282

Copyright ©: 2001, Stuart C. Henderson