RACF Users' News # 60

Sept., 2002 Newsletter

Issue No. 60

RACF (part of z/OS Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.

Georgia RUG Site Will Be Back Soon
The GARUG website has been temporarily out of service, apparently due to ISP issues. Good people are working on the problem and the site should be back up shortly.

What is IPv6?
Most of us think of IP addresses (as in TCP/IP) consisting of four octets (8 bits each) separated by dots: (32 bits). Since we've already started to run out of numbers, the people in charge have developed a new addressing scheme based on eight pieces of sixteen bits each (128 bits) separated by colons: 261:262:263:264:265:266:267:268. This addressing scheme is called IPv6 and is supported by TCP/IP on the mainframe (z/OS 1.4). How RACF will fold this into the TERMINAL class (as we do now with the four octets and FTP) will be an interesting question. (A useful manual is "IPv6 Network and Application Design Guide", SC31- 8885) (Wouldn't "FTP and the Octets" be a great name for a rock band?)

NEW YORK RUG Meeting Dates
Tuesday, October 22, 2002 from 1 to 5PM with a product demo lunch from CONSUL from noon to 1PM. Mark your calendars now. See inside for details. The meeting after that will be in April, probably on a Tuesday from 1 to 5PM. Please note the NYRUG will meet twice a year from now on.

The BWRUG will not meet this season. Our next meeting will be in April, likely on a Monday from 1 to 5PM. Mark your calendars now. See inside for details. Please note the BWRUG will meet twice a year from now on. -------------------------------------------

This Newsletter Switching to Twice a Year
Issues will come out in March and in September of each year, just in time to announce the April and October meetings of the BWRUG and NYRUG.

Permanently Interesting Products Column
is now permanently moved out of this newsletter to Stu's website at http://www.stuhenderson.com/ XINFOTXT.HTM.

Texas RACF Users Group is better than ever!
Call Robert Roche at (713) 831-2007 for info.

In Miami, the South Florida RACF Users Group
is still going strong. For further info, please contact Katherine Ramos, (305) 995-3835.

How Do I Tell What UACC I Should Have for System Datasets?
See the IBM Manual "Security Administrator's Guide", Appendix E.

RACF Automatically Maintains Unique UIDs and GIDs
It used to take IBM several years, some say decades, between hearing a request for a great RACF improvement to actually implementing it. They seem to have reduced this time lag from years to a few months. With the latest release (RACF for z/OS 1.4), RACF keeps track of UIDs and GIDs, assigns unique ones automatically, and can protect you from inadvertently assigning someone a UID which is already assigned to someone else. (A UID of course is the number USS (UNIX) uses to identify a user; a GID is the number USS uses to identify a group.)

This all works with new keywords on the AU, ALU, AG, and ALG commands, plus a new UNIXPRIV class rule named SHARED.IDS. If the rule exists, then RACF allows sharing of UIDs and GIDs only when you specify the SHARE operand, as in the examples below. In these examples AUTOUID and AUTOGID request automatic assignment of unique UIDs and GIDs respectively. The keyword SHARE tells RACF to allow assignment of an already assigned UID or GID.

To use the SHARE operand, you need either SPECIAL or READ permission to the SHARED.IDS rule in the UNIXPRIV class.





The SEARCH command has also been updated to list all users or groups assigned a given UID or GID:



(If you want this functionality for RACF 2.10, you can do it with APAR OW52135, but you have to re-structure your RACF database in any case. See next article.)

Why You Want to Ask Your System Programmer to Re-Structure Your RACF Database
In RACF 1.9, we restructured the RACF database, gaining significant benefits in performance. In RACF 2.10, IBM made it possible for us to implement yet another restructuring, called IRA (Internal Re-Organization of Aliases). This re-structuring takes time and effort, spread over three separate phases, as described in the RACF System Programmers Guide. The automatic assignment of UIDs and GIDs described above is only available after you have reached at least phase 2 of the restructuring.

This re-structuring is sometimes referred to as AIM (Application Identity Mapping) because it supports translation between RACF userids and the names that other applications call users. Other RACF features in the future will rely on this re-structuring, so you will want to make sure that it's on your sysprog's to-do list. Let her schedule it at her convenience, so long as it gets done before you need it.

New Features in Latest Release of RACF
In addition to the UID/GID improvements described above, RACF for z/OS 1.4 gives us these improvements:

What is the Difference Between EIM and AIM?
EIM (Enterprise Identity Mapping) lets you specify a computer which is used to verify users' identities for other computers. It makes use of LDAP (Lightweight Directory Access Protocol) which is available on IBM platforms, Windows 2000 and XP, and Novell Directory Services. Each computer can have an LDAP database defining its users. (The one on MVS talks to RACF to keep things in sync.) The different LDAP servers trust each other, to support single signon. EIM lets you automatically translate a user's name for an application that executes on several different types of computer.

AIM (Application Identity Mapping) is a RACF feature which provides translation between the RACF userid and the names that other software calls users. (For example, UNIX calls a user by his UID; DCE calls a user by her UUID.) AIM takes place completely within the RACF database (including the index records).

To Get a Free Subscription to the RACF User News
Phone Stu at (301) 229-7187 with your request, leaving your name, postal address (sorry, only US postal addresses; others will need to read issues online), and phone. For back issues and articles on topics like the SERVAUTH resource class, check his website: www.stuhenderson.com.

Fifteen Minute Project to Improve Your RACF
To prepare for HIPAA, you will want to make RACF ready. (HIPAA is the Health Insurance Portability and Accountability Act whose regulations will shortly be made final by the US government. HIPAA will require certain standards for protection of confidentiality and integrity of certain health information. Many organizations can expect to be audited for "HIPAA compliance.") HIPAA will almost certainly require at least two things of RACF installations. Here's how to be ready:

  1. Ask the person in charge of HIPAA compliance in your organization which applications, if any, will need to be HIPAA compliant. If none, then go have a pleasant lunch with someone whose company you enjoy.

  2. If you do not have ERASE-ON-SCRATCH active, you will likely need to do so, but ONLY FOR CERTAIN files. (EOS is a feature that writes zeroes over the data in a disk dataset when the dataset is erased. Otherwise, the data could be browsed by the next user to allocate a dataset on that part of the disk pack. One advantage of RACF over ACF2 and TopSecret is that you can implement EOS for individual files.) There used to be a performance concern with EOS that was serious enough that you would not want to implement it without careful testing. You can do that testing now, at your convenience and the convenience of your system programmers. (Recent hardware improvements in disk drives and controllers have made the performance problem almost a non-issue. However, you do not want to implement EOS without slow, careful testing.) Here's how:

    Make sure that no dataset rules specify ERASE. (Check this by using software ike CONSUL or Vanguard, or by using the RACF Database Unload Utility. Too bad that the SEARCH command won't do this for us.) Then working with your performance system programmer, create test datasets of 1 cylinder, 10 cylinders, and 100 cylinders. Erase those datasets, timing how long it takes. Then alter their dataset rules to specify ERASE. (For example, ALD 'xxxx' ERASE.) Activate EOS by issuing SETR ERASE(NOSECLEVEL). This will activate EOS only for datasets with ERASE in their RACF dataset rule. Now repeat the allocation, deletion, and timing of the datasets. Repeat several times if you want to be sure you got accurate timings. Then turn off EOS, by issuing SETR NOERASE. Discuss the results with your performance system programmer. Now if auditors require EOS for health information data, you will know where you stand.

  3. Find out if all your production batch jobs execute with the same userid. This happens if they are all submitted by the same job scheduling software, and none of the JOB cards specifies USER=. If this is the case in your shop, you will probably need to change this, at least for applications affected by HIPAA. There's an easy way to do this, using the SURROGAT resource class to authorize the job scheduling software to submit batch jobs for other userids without having to specify their passwords. Start learning now how to set this up, so you will be ready if HIPAA auditors require it.

This Issue's Wish
Wouldn't it be nice if the SEARCH command would identify all dataset rules with ERASE?

Two Resource Classes You Administer a Little Bit Differently
The PROGRAM and GLOBAL resource classes get activated, refreshed, and defined differently from other classes. The PROGRAM class is not activated with SETR CLASSACT like a normal class. Instead you activate it with SETR WHEN(PROGRAM). After you change rules in this class, you refresh it with SETR WHEN(PROGRAM) REFRESH. The PROGRAM class does not support WARNING mode. It does its own processing of generic characters, accepting an * only at the end of the name, and not accepting % at all. It is the only class which accepts a PERMIT command with WHEN(SYSID(...)).

To activate the GLOBAL class, you also don't use SETR CLASSACT. Instead, you activate GLOBAL checking for some other class [example: SETR GLOBAL(DATASET)], which has the effect of activating the global class, even if your DSMON says that GLOBAL is INACTIVE. To refresh GLOBAL DATASET rules, issue SETR GLOBAL(DATASET) REFRESH. Once the GLOBAL DATASET rule has been created, if you want to define a new dataset rule within it, you use RALT, not RDEF, since you are modifying an existing rule with an ADDMEM. Most RACF shops use GLOBAL checking for datasets, and not for any resource classes.

New Free Email Newsletter for Mainframe Auditors
To learn more about the Mainframe Audit News (MA News), check Stu's website: http://www.stuhenderson.com 

Interesting Products Column
We have not evaluated these products, but think they might be of interest to RACF administrators:

The Group Named TTY
This group is a magic group which you should not touch. USS uses it for its own purposes. You will need to define it for USS to use, but don't try to alter or delete it.

What is System SSL?
SSL (Secure Sockets Layer) is the basis for much of security on the Internet. It can provide automatic encryption and identification of the other party in a session. It relies on digital certificates, which will often be stored in the RACF database, and associated with RACF userids. In the near future, RACF administrators will need to have at least some knowledge of how this all works.

It used to be that IBM had a separate version of SSL for each software product. This meant duplication and extra administrative hassle. IBM recently improved TCP/IP under MVS to provide a single version of SSL for all software products. Now products like DB2, Websphere, and CICS can all share the same SSL. The control files for each product can specify whether to use SSL for TCP/IP connections, and whether to look for digital certificates in some UNIX file or in RACF.

New Free Email Newsletter for Mainframe Auditors
To learn more about the Mainframe Audit News (MA News), check Stu's website at: http://www.stuhenderson.com 

NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS
NYRUG: At Our Next Meeting
Our next meeting will be hosted by CONSUL. They are also providing a free, pre-meeting lunch and product demo. The product demo precedes and is completely separate from our regular meeting. At the regular meeting, Rich Guski of IBM will speak on "Trends Driving eServer Security". Another great IBM speaker will describe the latest features of RACF for z/OS 1.4. Randy Young of CONSUL will speak on "RACF Compliance Reviews from the Security Officer's Perspective". Claude Vigeant of Okiok will speak on "Leveraging Legacy Infrastructure for e-business". As always, we will have a question and answer session with some of the keenest RACF minds in the State to answer questions.

Tuesday, October 22, 2002. The lunch and product presentation will begin at noon. The regular meeting starts at 1PM until it's too late to go back to the office.

Holiday Inn, 440 West 57th St, NYC, phone (212) 581-8100. Lunch will be either at the Via Strada restaurant in the hotel or in the regular meeting room at noon. The regular regular meeting room will be as specified on the sign in the lobby.


BWRUG (Baltimore/Washington RUG):
The BWRUG will not meet this season. See you in April.

HG How to Audit Training Schedule:

         The Henderson Group now offers its series of "How to Audit.." 
seminars for IT auditors. These describe clearly how the associated software 
works, where the control points are, how to collect and interpret data, and 
how to conduct the audit.  The workbooks include complete audit programs.  
More information is available at our website: www.stuhenderson.com.  If you 
have a class you would like to have added to this series, please let us know.  
These classes will be held in 2002 and 2003 (additional dates in 2003 will be 
available soon): 

  A)     HG70 How to Audit Cross-Platform Applications ($820)  
                  Apl. 2-3,                 2003 in Bethesda, MD 

  B)     HG71 How to Audit Mainframe/Internet Connections ($820)  
                  Mar. 4-5,                 2003 in Clearwater, FL

  C)     HG72 How to Audit TCP/IP ($410)  
                  Sept. 13,                 2002 in Bethesda, MD  (near Washington, DC)

  D)     HG73 How to Audit CICS ($410)  
                  Mar. 3,                   2003 in Clearwater, FL 

  E)     HG74 How to Audit RACF ($820)  
                  Sept. 5-6,                2002 in Bethesda, MD (near Washington, DC) 

  F)     HG75 How to Audit MVS ($410)  
                  April 4,                  2003 in Bethesda, MD 

HG RACF and Security Training Schedule:
         The Henderson Group offers its RACF and computer security/audit seminars around the
country and on-site too.  See the details below or call (301) 229-7187 for a free seminar catalog.  
For more info or to see what students say about these classes, please go to
www.stuhenderson.com.  (See info on "How to Audit ..." classes above.) (Additional 2003 dates
will be available shortly.)

  1)     HG04 Effective RACF Administration    ($1795 in 2002, $1895 in 2003)  
                  Dec. 3-6,        2002 in Bethesda, MD (near Washington, DC)
                  Mar. 11-14,               2003 in Clearwater, FL

  2)     HG05 Advanced RACF Administration  ($1790 in 2002, $1890 in 2003) 
                  Sept. 24-27,              2002 in New York City
                  Feb. 18-21,               2003 in Clearwater, FL

  3)     HG06 UNIX (USS) for RACF Administrators  ($410) 
                  Dec. 10,                  2002 in Bethesda, MD (near Washington,DC)
                  Mar. 10,                  2003 in Clearwater, FL

  4)     HG17 How to Be an Effective z/OS or OS/390 (MVS) Data Security Officer)
         (covers CICS, VTAM, DB2, and JES security along with MVS security, SAF,
         OS/390, and z/OS)  ($1190)                  
                  Dec.  11-13               2002 in Bethesda, MD (near Washington, DC)

Permanently Interesting Products Column
This column has been permanently moved from this newsletter to Stu's website. You can find it at: www.stuhenderson.com/XINFOTXT.HTM 

RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)

RACF List Server on the Internet
To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:

subscribe racf-l john smith

to the address: listserv@listserv.uga.edu

The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.

The RACF User News is published two times a year (December, March, and September) to share information about RACF. All information in it is offered on an "as is" basis, and should be used at your own risk, and with your own testing.

Other Internet places:

Stuart Henderson
(301) 229-7187
5702 Newington Road Bethesda, MD 20816-1282

Copyright ©: 2002, Stuart C. Henderson