RACF Users' News # 65

Sept., 2004 Newsletter

Issue No. 65

RACF (part of z/OS Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.

Revealed At Last: Steve Neeland's New Website

It's http://www.geocities.com/steveneeland/  )
You'll find a variety of tools for producing useful RACF reports.

Thierry Falissard's Great Website Has Moved Too

It's at

Updated Article on SERVAUTH Class

It's available on Stu's website at http://www.stuhenderson.com 

Click on ARTICLES.

New Email Address for Peter Goldis

It's pete@goldisconsulting.com. If you want to talk to him about his RACF password cracker program, now you can.

Vanguard Conference on East Coast This Time

It's scheduled for May 8-12, 2005 in Orlando, FL.

NEW YORK RUG Meeting Dates

Thursday, October 14, 2004 from 10AM to 4PM. PLEASE NOTE THIS IS A SPECIAL MEETING WITH DIFFERENT TIMES AND REGISTRATION REQUIRED. THIS IS A LOT OF TRAINING AVAILABLE IN ONE DAY. You will not be allowed to attend without pre-registering (it's free), as described inside. Mark your calendars now. See inside for details. The meeting after that will be in April, probably on a Tuesday from 1 to 5PM. Please note the NYRUG will meet twice a year from now on.


The BWRUG will not meet this quarter. Our next meeting will be in April, likely on a Monday from 1 to 5PM. Mark your calendars now. See inside for details. Please note the BWRUG will meet twice a year from now on.


To Get a Free Subscription to the RACF User News

Phone Stu at (301) 229-7187 with your request, leaving your name, postal address (sorry, only US postal addresses; others will need to read issues online), and phone. For back issues and articles on topics like the SERVAUTH resource class, check his website: http://www.stuhenderson.com 

RACF for z/OS 1.6 Available

The new release has several features including:

Interesting Products

(Please note that it is your responsibility to evaluate any product for yourself. We do not recommend products; we just tell you about ones we think you might find interesting.)

RSH- RDELTA monitors changes to your RACF databases to help you merge them, synchronize them, compare them, and research changes in them. Contact Bob Hansel at (617) 641-0072 or www.rshsoftware.com for more info.

Suggestions to Make Your Life Easier

  1. If you haven't already, make RACF run in its own address space as a separate sub-system. This will let you execute RACF commands as operator commands, a nice capability when the system is hung. Use rules in the OPERCMDS resource class whose names start RACF.... (or whatever the sub-system name is) to control who can issue RACF operator commands.
  2. If you're planning on migrating from DB2 internal security to the RACF DB2 interface, start early by identifying which applications DON'T identify users by their RACF userid. (Some DB2 applications identify users to DB2 by the CICS transaction id, the terminal id, or other id.) You will want to plan how to define these applications' users to RACF.

About the APPCLU Resource Class

This is one of those resource classes we tend to ignore, because we're not quite sure what it does, or how, and besides, the VTAM guy never asked us to do anything about it. It's worth taking another look at, especially if your SNA network is connected to many other companies' nets.

The current method of connecting two networks is called APPN (Advanced Peer to Peer Networking). With APPN, each copy of VTAM is called a CP or Control Point. Each CP has a name, and they use their names to identify themselves to CPs in connected networks.

If the VTAM sysprog doesn't require it, there is no guarantee that each CP is who it claims to be. It could be possible for a computer to fake its identity, and pretend to be a Control Point that it isn't. This could potentially lead to spoofing of terminals and applids, and a significant risk.

The approved way to control this risk is to have the CPs prove their identity to each other. This is one purpose of the APPCLU resource class.

With APPCLU, each CP can require proof of identity for each CP it connects to. This is done by putting an encryption key in the RACF APPCLU resource rule for each CP. Then (this is an oversimplification), one CP sends a message encrypted with the RACF-provided key: "If you're really CP so and so, then send me back the word 'hippopotomus'". If the second CP sends back the correct word, then the first CP knows the identity of the second. The logic is "Only one other CP in in world knows that encryption key and could have decrypted my message." Of course, the second CP got the encryption key from his RACF APPCLU rule.

VTAM can decide whether do this extra level of checking based on settings provided by the VTAM system programmer. Usually, the setting specifies "Don't bother calling RACF. Just trust the identity of the other CP." This is not necessarily secure or unsecure. To understand it better, you might buy your VTAM sysprog lunch and discuss your network connections and the possible risk of someone spoofing your CPs.

Cincinnati RUG Has a New Name

It's now called Kentucky-Ohio-Indiana RUG or KOIRUG. (Is the mascot a goldfish?) For more info, see www.rshconsulting.com/rugs/KOIRUG.

New England RUG Still Going Strong

RUGONE (RACF User Group Of New England) is still actively sharing info. To learn more, see www.rshconsulting.com/rugs/RUGONE.

Make Your Own RACF Report Writer to Process SMF Data with SAS

If you want to report on RACF related SMF data, the following sample program is something you can copy, cannibalize, and tailor to your heart's content. It is offered as is, with no guarantees, and no support. But if your shop has SAS, and you can get READ access to the SMF data, and get someone to show you the JCL for SAS, you will love what it lets you do.

The sample program below is followed by some brief explanations on the next page. If you've programmed in any language at all, you should find that you understand SAS now.

  INPUT @2 REC_TYPE    PIB1.  @;
         @15   SMF80DES      PIB1.
         @17   EVENT         PIB1.
         @18   QUAL          PIB1.
         @19   USERID        $8.
         @27   GROUP         $8.
   IF SMF80DES NE '1.......'B              THEN DELETE;




   PLOT  HOUR *  MIN /VAXIS = 0 TO 24 BY 1
                      HAXIS = 0 TO 60 BY 5;

(Note all SAS statements end in a semicolon and any line with an asterisk in column one is a comment. The DATA section reads the SMF data and writes it to a SAS file named A. Then the PROC statements use the SAS file as input. The DATA statement says "Create a SAS file named A." The KEEP statement names the fields to be included in the SAS file. The INFILE statement gives the DDNAME of the input SMF file. INPUT @2 reads from position 2 the numeric record type of the SMF record.)

Comment on the SAS Program to Process RACF SMF Data

This program reads the SMF data, ignoring all records except type 80 records (RACF records). Of these it ignores all records except those which represent violations (as specified in SMF80DES). For each type 80 describing a violation, it writes one record to the SAS file named A. The EVENT field tells us what RACF event caused the logging and the QUAL or qualifier tells us the whether it failed and if so why.

SAS files are special files which include the field names and definitions along with the data your are storing. The first statement in the program (DATA A;) says that you are creating a SAS file named A. The PROC statements towards the end work like this:

Within the DATA section, the INFILE statement gives the DDNAME of the input SMF file, and INPUT reads from it into specified fields. (PIB1. describes a one byte binary field. $8. describes an 8 character character field.)

SAS programs open and close files without you having to tell them. When you get to the end of the DATA section, it automatically goes back to the beginning to read the next record. At end of file, the DATA section stops and passes control to the PROC section following.

You can learn more about the SMF record layouts and the meanings of the events and qualifers from the IBM manual "RACF Macros and Interfaces".

We invite any REXX programmer to share similar code with us all.

NYRUG (New York RACF Users Group):

Our next meeting is at IBM, 590 Madison Avenue, Room 1219. Attendees must present a government-issued photo ID to enter the building. Please note the early start and finish times Admission is free to hear these great speakers, but you must pre-register by emailing NO LATER THAN NOON Oct. 13 to Mark Nelson (markan@us.ibm.com) with "NYRUG Meeting" in the subject line and your name and company in the body. Pre-registration is highly recommended. We will have some of the best speakers possible on topics you need to learn about:

Starting at 10:00 AM

(Please note that times are approximate and that speakers and topics are subject to revision.)

Time:Thursday, October 14, 2004 from 10AM-4:00PM.

Place:IBM, 590 Madison Avenue in Room 1219. Attendees must present a photo ID to enter the building and must pre-register in advance.


BWRUG (Baltimore/Washington RUG): Next Meeting

The BWRUG will not meet this season. See you in April.

New Free Email Newsletter for Mainframe Auditors
To learn more about the Mainframe Audit News (MA News), check Stu's website: http://www.stuhenderson.com 

HG How to Audit Training Schedule:
The Henderson Group now offers its series of "How to Audit.." seminars for IT auditors. These describe clearly how the associated software works, where the control points are, how to collect and interpret data, and how to conduct the audit. The workbooks include complete audit programs. More information is available at our website: www.stuhenderson.com. If you have a class you would like to have added to this series, please let us know. (See info on "RACF and Security" classes below.)

  A)      HG63 How to Audit Windows, UNIX, and TCP/IP ($1470)  
                   June 1-3,          2005 in Washington, DC

  B)      HG64 How to Audit MVS, RACF, ACF2, CICS, and DB2 ($1450)  
                   Nov. 1-3,          2004 in Clearwater, FL
                   Nov. 2-4,          2005 in Washington, DC

  C)      HG73 How to Audit CICS ($410)  
                   Apl. 28,           2005 in Washington, DC

  D)      HG74 How to Audit RACF ($820)  
                   Apl  7-8,          2005 in Washington, DC

  E)      HG75 How to Audit MVS ($410)  
                   Apl  29,           2005 in Washington, DC

HG RACF and Security Training Schedule:
The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog. For more info or to see what students say about these classes, please go to www.stuhenderson.com. (See info on "How to Audit ..." classes above.)

  1)      HG04 Effective RACF Administration    ($1895)  
                  Oct.  18-21,        2004 in Cape Code, MA
                  Mar.   8-11,        2005 in Clearwater, FL
                  May     3-6,        2005 in Washington, DC
  2)      HG05 Advanced RACF Administration  ($1890)
                  Oct.    4-7,        2004 in Bethesda, MD
                  Mar.    1-4,        2005 in Clearwater, FL
                  May   24-27,        2005 in Washington, DC

  3)      HG06 UNIX (USS) for RACF Administrators  ($410)
                  Apl      15,        2005  in Washington, DC

  4)      HG17 Comprehensive z/OS Security (covers 
          CICS, VTAM, DB2, and JES security along with MVS security, SAF, 
          OS/390, and z/OS)                          ($1190)  
                  May   18-20,         2005  in Washington, DC

Permanently Interesting Products Column
This column has been permanently moved from this newsletter to Stu's website. You can find it at: www.stuhenderson.com/XINFOTXT.HTM 

RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)

RACF List Server on the Internet
To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:

subscribe racf-l john smith

to the address: listserv@listserv.uga.edu

The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary. You will want to set up a filter for incoming emails to direct mail from the list server to a dedicated folder or directory.

New Free Email Newsletter for Mainframe Auditors
To learn more about the Mainframe Audit News (MA News), check Stu's website at: http://www.stuhenderson.com 

The RACF User News
is published two times a year (December, March, and September) to share information about RACF. All information in it is offered on an "as is" basis, and should be used at your own risk, and with your own testing.

Other Internet places:

Stuart Henderson
(301) 229-7187
5702 Newington Road Bethesda, MD 20816-1282

Copyright ©: 2004, Stuart C. Henderson