RACF is a trademark of IBM. This newsletter is not affiliated with IBM in any way.
How To Liven Up Your Next Disaster Recovery Test
Before you leave the hotsite, IPL with a date in the year 2000 or later. Try running some applications and compare results with the 1996 execution. And of course, don't forget to wipe all your data off the disk packs at the hotsite before you leave. (A clean damp cloth will NOT do the trick.) Thanks to Santos Ayalla and to Maria Woodside for the suggestion.
PTF Watch
With PTF OW13567 (UW90235) you can let RRSF talk to a SYSPLEX, instead of having it address each CPU or LPAR individually.
Internet Server on MVS
IBM offers a product (Bonus Pack WebServer for OS/390) to let our mainframes hook directly to the Internet. This might form the basis for an internal Internet or "Intranet" for your company. If this raises security issues in your mind, hear what Cees Kingma of IBM has to say at the next NYRUG meeting on how to secure this. ("Ho hum, the mainframe is just another node on the net.")
NEW YORK RUG Meeting Dates
On Wednesdays, from 1 to 5 PM: July 17, 1996; October, 16, 1996; and January 15, 1997. Mark your calendars now. See inside for details.
BALTIMORE/WASHINGTON RUG Meeting Dates
On Thurdays, from 9AM to Noon: July 18, 1996; October, 17, 1996; and January 16, 1997. Mark your calendars now. See inside for details.
Career Advice
If you just stick to MVS and RACF, then you won't be the security professional, the person in charge of security, in your shop. Someone else will be. (Paraphrase of Marilyn Allmond at BWRUG meeting.) This means we need to learn other platforms, and how to integrate them. It means stepping up to DCE, OMVS, cross-platform administration tools (including RRSF), and a host of new technologies represented by the new RACF resource classes.
Interesting Products Column
These are new products which we have not evaluated, but which we think you might find interesting.
In This Issue:
NOT In This Issue (but scheduled for a future one):
Some Notes on the PROGRAM Class
The PROGRAM resource class is different from other classes in several ways. First, you don't activate it by saying SETR CLASSACT(PROGRAM). That would be logical and therefore couldn't be. Instead, you activate PROGRAM protection by entering SETR WHEN(PROGRAM).
Second, the PROGRAM class uses FRACHECK instead of RACHECK (see next article please).
Third, nobody knows who the owner of the PROGRAM class is (in the sense that the head of the Payroll Department is the owner of the payroll data). No one seems to have a practical way to identify which programs need to be protected, and who should be permitted to them. As a result, nearly everyone defines a few rules to keep the auditors happy, and then looks the other way. If your auditors grief you for not having what they think is an appropriate set of PROGRAM class rules, ask them how they think the list of protected programs should be developed. (Our opinion is that it starts with the list of APF-authorized programs, which could then be reduced by identifying all those which have logic in them to protect against abuse. Our opinion is also that for most shops, the effort to do this analysis is prohibitive. Perhaps some software vendors of products like CA-EXAMINE [vendors such as CA, CONSUL, and JANUS] would like to offer some suggestions.) In the meantime, ask your auditors to conduct the cost-benefit analysis before making a recommendation. (Maybe some of the Big 6 accounting firms which evaluate Best Practices in various industries will have some suggestions too!)
Some Notes on FRACHECK
FRACHECK (or RACROUTE with REQUEST=FASTAUTH which amounts to the same thing) is a call to RACF to answer the question "Can this user do x?" FRACHECK is a "fast" version of the similar RACHECK function. RACHECK is slower because it takes time to read rules from the RACF database. FRACHECK is faster because it uses rules kept in a table in memory, avoiding the time to read from disk.
RACHECK is called by OPEN when you open a dataset. FRACHECK is called by CICS and IMS when you access one of their transactions or other resources. FRACHECK is also invoked in the PROGRAM class when you execute a program.
Recent changes in MVS make it possible to share the copy of the rules used by FRACHECK. For example, if two CICS regions use the TCICSTRN class for their transaction rules, you can let them share one copy of the rules by using a RACF feature called RACLIST with GLOBAL=YES. Release 4 of CICS uses this. This feature stores the rules in a separate address space or dataspace, instead of in the CICS region. The result is more free room in the CICS region.
Another advantage of this is obvious when you change one of these rules, say by permitting a new userid or group to a transaction. Instead of refreshing the copy of the rules in memory with the CICS command CEMT P S R, you refresh them with the RACF command SETR RACLIST(TCICSTRN) REFRESH. Unlike the CEMT command, this doesn't make the CICS region pause. Another advantage is that it makes sure that both regions have the same set of RACF rules, so you don't have to coordinate rule changes so much.
To introduce this feature smoothly, you might want to discuss this with your CICS system programmer. Then prepare for the RACGLIST resource class. Include this in SYSPLEX plans too.
How RACF Security Works With OMVS (UNIX Under MVS) [Part 1, see next issue for more]
When you work with OMVS, the two basic security questions get answered differently than if you were in straight UNIX or straight MVS. (The two basic questions are of course: Q1) Who is this User? and Q2) Can this User do x? where x can be any function such as open a dataset or execute a transaction.)
Q1 in MVS:
In straight MVS, the first question is usually answered with a userid and password, which get validated by the RACINIT function in RACF. (For example, TSO and CICS both issue a RACINIT when you logon or signon.) The result of a successful RACINIT is a control block called the ACEE which has most of the information except the password from the RACF user profile. This ACEE is the answer to Q1 as far as RACF is concerned. (Yes, yes, we know. It's not really a RACINIT call any more. The RACINIT call has been replaced with a RACROUTE call to MVS, which gets passed onto the part of RACF which does RACINITs. So the net result is like a RACINIT, but through an indirect route. When we say RACINIT or RACHECK, we mean the RACINIT or RACHECK function, which we know is invoked with a RACROUTE. Pace, you purists.)
Q1 in UNIX:
When you sign onto TSO, your signon results in an ACEE. When you next issue the OMVS command to go "through the looking glass into UNIX-land", then UNIX asks RACF who you are. The answer for UNIX is not a TSO userid; rather it is a numeric UID. RACF gets the UID from your OMVS segment in the RACF database. This segment is considered an extension of your RACF user record. RACF passes the UID to UNIX, which puts it into a UNIX control block called the USP or User Security Packet. This USP is the answer to Q1 as far as UNIX is concerned.
Q2 in MVS:
The answer to Q2 in RACF terms comes from the DATASET and RESOURCE records in the RACF dataset. When you open a dataset for example, OPEN issues a RACHECK call to RACF which asks "Q2) Can this User open this dataset?". RACHECK compares the information in the User's ACEE to the information in the appropriate DATASET or RESOURCE record and returns a YES or NO which is the answer to Q2.
Q2 in UNIX:
The answer to Q2 in OMVS is based not on the RACF DATASET rules but on a UNIX control block called the FSP or File Security Packet. Once you are in OMVS and you try to open a UNIX file, UNIX compares the information in your USP to the information in the FSP and returns a YES or NO, which is the answer to Q2.
So Where Does the FSP Come From, Who Controls It, and How Do MVS Files and UNIX Files Differ?
When your system programmer installs OMVS, she allocates a large, PDSE MVS dataset, called the HFS (or Hierarchial File System) dataset. OMVS uses the HFS dataset to contain all the UNIX files. (On the MVS side of the looking glass, the dataset is a normal PDSE dataset, which needs to be protected by RACF. From the OMVS side of the looking glass, HFS is the place where all the files live.)
UNIX files in the HFS are organized into directories. The directories are organized into a tree, with parent and child directories, just like on your personal computer.
Another Free Offer From Essential Software
Free (1 CPU only) Offer From Essential Software Here are two RACF tools written using Essential Information Retrieval for RACF (EIR) freeware that will clone a user and rebuild a deleted user.
Cloning a User
--------------------
It is a common practice when creating a new RACF user Id to use another Id as a model. Normally, there
are differences between the new and model Id such as the user's name and, possibly, the installation data.
Therefore, it is desirable to have an online process that will:
The following CLIST will do the above logic.
PROC 2 USER NEWUSER
%CALLOC COMMANDS /* allocate Essential files */
ISPEXEC VGET CMDFILE SHARED /* get commands file name */
ESSEXEC REPLICATEUSER PROFILE(&USER) NEWUSER(&NEWUSER) /* generate RACF
commands */
ISPEXEC EDIT DATASET('&CMDFILE') MACRO(RUNMSG) /* edit/execute commands */
EXIT
Rebuilding a User
----------------------
Sometimes, it is necessary to recover a deleted user Id. The following REXX exec will generate the necessary RACF commands to rebuild a deleted RACF user.
/* REXX */
ARG USER
"%CALLOC" COMMANDS
ADDRESS ISPEXEC "VGET CMDFILE SHARED"
ADDRESS ISPEXEC "SELECT PGM(ESSEXEC) PARM(REPLICATEUSER PROFILE("USER"))"
ADDRESS ISPEXEC "EDIT DATASET('"CMDFILE"') MACRO(RUNMSG)"
EXIT
To comment or receive a free copy of EIR contact:
Rocky Smith
Essential Software & Services, Inc.
Phone: (770) 537-0077
Fax: (770) 537-5377
E-mail: rockysmith@usa.pipeline.com
Other products available are:
Essential List Parsing for RACF
Essential Format Commands for RACF
Permanently Interesting Products Column
We have not evaluated these, but think every RACF shop should know about them.
HG RACF and Security Training 1996 Schedule:
The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog.
1) HG04 How to Implement and Administer RACF Effectively ($1595)
Sept. 9-13, 1996 in Atlanta, GA
November 18-22, 1996 in New York, NY
Feb. 24-28, 1997 in Clearwater, FL
2) HG17 Comprehensive MVS Security ($800)
Oct. 8-9, 1996 in Clearwater, FL
Dec. 9-10, 1996 in Washington, DC
January 13-14, 1997 in New York City
3) HG18 Comprehensive CICS Security ($395)
October 7, 1996 in Clearwater, FL
4) HG44 Advanced Level RACF Administration ($800)
November 7-8, 1996 in Clearwater, FL
5) HG57 Comprehensive UNIX Security ($800)
Sept. 16-17, 1996 in New York City
Nov. 4-5, 1996 in Clearwater, FL
NYRUG (New York RACF Users Group) NEWS
At our last meeting (thanks to Grace Studifin and host Depository Trust Company), Rich Guski of IBM described the new OS/390 Security Server. Mark Nelson of IBM described some of the new RACF features added since RACF 2.2 became available. Hayim Sokolsky of PaineWebber described how to secure SDSF with RACF. Bryan Childs of IBM described a critical PTF OW13567 for RACF Remote Sharing.
At Our Next Meeting
We will hear from Cees Kingma of IBM on "New Concepts in Internet Security" and the "Internet Connection Server for MVS". We hope as well to have a speaker on RACF 2.2 experiences. Of course, we will end with a Q&A session.
Time: Wednesday, July 17, 1996 at 1 PM until it's too late to go back to the office.
Place: at Brooklyn Union Gas, One MetroTech Center, Brooklyn, NY. This is at the intersection of Jay St. and Johnson St. (which is now called Tech Place). The building is just one subway stop from Manhattan: the A, F, and C IND trains stop at the front door on Jay Street near Willoughby. The 2, 3, 4, and 5 IRT trains stop nearby, as do the M, N, and R trains, all with stops at either Borough Hall or Lawrence St. These buses stop at the front door: 25, 26, 38, 41, 52, 54, and 67. There is public parking operated by Edison Public Parking on the C1 level of One MetroTech Center and in the nearby SIAC building.
If you are driving: via the BQE Westbound, exit at Tillary Street and go left on Flatbush Avenue to Myrtle Avenue. Turn right on Myrtle and go under Chase building to Lawrence Street.
Via Manhattan Bridge, exit Flatbush Avenue and take to Myrtle. Turn right on Myrtle, proceed under Chase building. Turn right on Lawrence Street.
Via Brooklyn Bridge, exit on Adams Street, proceed on Adams to Tillary and turn left. Proceed to Flatbush Avenue and turn right onto Myrtle Avenue. Drive under Chase building to Lawrence, turning right into garage.
BWRUG (Baltimore/Washington RACF Users Group) NEWS
At our last meeting (thanks to Phillip Fishgold and host Price Waterhouse), Hayim Sokolsky of PaineWebber (and the NYRUG) gave his famous presentation on RACF with Sysplex, and on RACF with SDSF. Marilyn Allmond of IBM spoke on the implications of the new DCE Security Server and RACF, and what this means to our career strategies.
Next BWRUG Meeting
Stu Henderson will speak on the RACF Remote Sharing Facility. We hope to have a speaker on RACF 2.2 user experiences. We'll end with a Q&A session.
Time: Thursday, July 18 from 9 to noon
Place: At the Association of American Railroads near Union Station in Washington, DC at 50 Capitol Place on the 4th Floor. By train, take AMTRAK or MARC or Virginia Rail Express to Union Station. Proceed on foot to the main concourse of the station, turn right into the West hall, and exit through the doors on the west side of the building (look for METRO kiosk with large letter "M"). Continue west past the METRO entrance, through the archway and across the street. Go to "CONTINUE" below.
By METRO (on the Red Line) Go up from the train platform to street-level via the mid-platform escalator. Exit through the fare card gate and take the first escalator to street level. At top of escalator, turn 90 degrees to the left (west) and cross the street. (Look for the Postal Museum.) Cross First Street, turn left and proceed a few steps south to the corner of First St. NE and Massachusetts Avenue. Turn right onto Massachusetts and proceed one block west (keeping the Postal Museum on your right). At the fiveway intersection (Mass Ave, North Capitol, F Street), turn left (south) to cross Mass Ave and then turn right (west) to cross North Capitol to the south side of F Street. The entrance to the Phoenix Park Hotel should be to your left.Proceed west along the south side of F Street, past two Irish pubs (The Dubliner and Kelly's Irish Times), past the vacant lot, to the brown 12-story building on the left. The first doorway in this building is 50 Capitol Place, the meeting place. Check in with the guard in the lobby. Go to the conference center on the 4th Floor. If you get lost, remember that the sun rises in the east, and that moss grows on the north side of trees.
By Car: There is parking at Union Station, but why drive when taking a train can be so pleasant and safe?
RACF User Services (Key Phone Numbers / Addresses)
Technical support hotline, Meetings, Free Newsletter subscription, Seminar Catalogs:
Stu Henderson - (301) 229-7187
5702 Newington Rd, Bethesda, MD 20816
Computer Security Policy Sharing Library
(610) 383-3246
Ms. Denise Saylor,
Lukens Steel, ARC A200-Modena Road
Coatesville, PA 19320
RACF List Server on the Internet
To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:
subscribe racf-l john smith
to the address: LISTSERV@uga.cc.uga.edu or LISTSERV@UGA.BITNET
The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.
Other Internet places:
Georgia RUG home page on the Internet
http://www.mindspring.com/~ajc10/garug.htm
IBM S/390 home page, including RACF:
http://www.s390.ibm.com (revised)
IBM FTP site, including RACF stuff:
lscftp.kgn.ibm.com
IBMLink at: http://www.ibmlink.com
Seattle RUG:
http://www.win.com/~ssabel/searug/searug.html