RACF (part of OS/390 Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.
Computer Security Policy Sharing Library Continues
Terry Shoback of Alliance Capital has volunteered again to manage the library of real life policies. She will make copies available to anyone who asks her. You are of course invited to share your company's policy with the library by sending her a copy. See how to contact her on page 8.
New Phone for Tampa RUG
Jim Cuddy still runs the Tampa RACF Users Group. His new number is: (800) 237-0738x34233.
Win a Henderson Group Golf Shirt
This issue's contest is to see who has the most of the JES-related RACF classes active and in actual use. The winner will be the person who sends us the first SETR LIST printout with the most classes active from the following list. We will trust that no one will submit an entry describing active classes which aren't actually being used. The list of eligible classes is: JESSPOOL, JESINPUT, JESJOBS, NODES, WRITER, and SURROGAT. NEW YORK RUG Meeting Dates
On Wednesdays, from 1 to 5 PM: on January 13, 1999, and then April 14, 1999. Mark your calendars now. See inside for details.
BALTIMORE/WASHINGTON RUG Meeting Dates
On Thurdays, from 9AM to Noon: No meeting in January, and then April 15, 1999. Mark your calendars now. See inside for details.
A Change in RACFVARS with RACF 2.6
George Fogg of Seattle passes on this tip through the RACF List Server: The RACFVARS class should NOT have generics turned on. In RACF 2.6, if you try to create a new RACFVARS rule when generics is active for RACFVARS, you will get message ICH51003I NAME NOT FOUND IN RACF DATASET and message ICH10301I &... AND REMAINING ENTITIES NOT DEFINED TO RACF. The new rule will not be created.
What should you do? Issue:
SETR NOGENERIC(RACFVARS) NOGENCMD(RACFVARS) LIST.
Then update your written standard of how you want each of your SETR options set to reflect the change. You can do this now, before you get to RACF 2.6. Thanks, George.
New Way to Let Your Helpdesk Reset Passwords Without Group Special
RACF release 2.6 gives us a new way to delegate the authority to reset passwords, without giving away the SPECIAL or Group-Special privileges. It makes use of a new FACILITY class rule named: IRR.PASSWORD.RESET. Users who are permitted to this rule with READ permission can reset passwords for all userids EXCEPT userids which have SPECIAL, OPERATIONS, or AUDITOR. This is a great way to let your Helpdesk reset passwords, without letting them fool around with passwords of RACF administrators and auditors. Here are the commands:
RDEF FACILITY IRR.PASSWORD.RESET UACC(NONE) OWNER(OWNERGRP)... PE IRR.PASSWORD.RESET CLASS(FACILITY) ACC(READ) ID(HELPDESK) + RESET
(Note that the reset is to be used only on the first PERMIT command to this rule, since it clears the entire permit list of the rule before adding the new entry. This is to clear out the entry that permits the userid which created the rule to have ALTER access to it. You don't need this if you have specified SETR NOADDCREATOR.)
New Operand for ALTUSER to Specify That A Userid's Password Doesn't Need to Be Changed at the Next Logon
RACF release 2.6 lets you specify:
ALU userid NOEXPIRED PASSWORD(password)
so that the next time the user logs on, he or she doesn't have to change the password. (The opposite of NOEXPIRED is of course EXPIRED.) This is useful for userids which don't represent current users, for example userids predefined for CICS terminals, RJE and NJE userids, and userids which have just been converted from ACF2 or TopSecret.
Note that NOEXPIRED is different from NOINTERVAL. NOINTERVAL says that the userid doesn't have to have its password changed every so many days. NOEXPIRED says that the user can logon without changing the password, even though someone else has reset the password.
You can use the FACILITY class rule described next to permit someone to use the NOEXPIRED operand without giving him or her SPECIAL or Group SPECIAL.
New Way to Let Your Helpdesk LISTUSER and ALU NOEXPIRED
Again as of RACF release 2.6, you can delegate these abilities by permitting someone to a FACILITY class rule named: IRR.LISTUSER. A user or group with READ or higher permission to this rule can issue the LISTUSER command for all userids EXCEPT those userids with SPECIAL, OPERATIONS, or AUDITOR. A user with UPDATE or higher permission to this rule can issue ALTUSER .. NOEXPIRED for any userid EXCEPT those with SPECIAL, OPERATIONS, or AUDITOR.
Here are the RACF commands to let the Helpdesk issue LU and ALU...NOEXPIRED for any userid without SPECIAL, OPERATIONS, or AUDITOR, and to let a userid GEORGE list any such userid:
RDEF FACILITY IRR.LISTUSER UACC(NONE) OWNER(OWNERGRP)...
PE IRR.LISTUSER CLASS(FACILITY) ACC(UPDATE) ID(HELPDESK) +
PE IRR.LISTUSER CLASS(FACILITY) ACC(READ) ID(GEORGE)
(Note that the RESET is to be used only on the first PERMIT command to this rule, since it clears the entire permit list of the rule before adding the new entry. This is to clear out the entry that permits the userid which created the rule to have ALTER access to it. You don't need this if you have specified SETR NOADDCREATOR.)
A Tip on How to Handle Lower Case Characters for the OMVS Segment
Roy McCollough passes this one on through the RACF list server: If you need to enter lower case characters in RACF commands (for example, to specify info for the OMVS segment), you can put single quotes around the data. The single quotes tell TSO not to translate the characters to upper case. For example: 'keep this in lower case'. (To include a single quote in the information, enter three single quotes. For example: 'don'''t make this upper case'. Check your TSO guides for more info. Thanks, Roy.
ITSS Adds Features to RACF Password Cracker Program
For a few years now, Kurt Meiser and the other crack consultants at ITSS have given us a wonderful, free tool: their RACF password cracker program. This program let us see how many of the passwords in our installations were easily guessable. Using this program let us evaluate the quality of passwords in our shop. It also helped us to build a case to our management on the need for a training program to teach users how to make passwords "easy to remember, but difficult to guess". Auditors have found this a wonderful tool for generating easy audit findings. (Talk about a tool you should run yourself before the auditors do it to you!) This program was well designed to prevent abuse by unauthorized users.
ITSS is about to upgrade this tool, adding these features:
The new version of the cracker program should be available 1Q1999. (We understand that it will be Y2K compliant.) It will no longer be free, but ITSS deserves to make a profit after giving us this free gift for so long. See "Permanently Interesting Products" later in this issue to contact ITSS.
More Re-Structuring of RACF Software Industry
In addition to the industry changes described last issue, we have learned that ASPG has a new release of ERG, Easy RACF Query (which used to be called Essential Software Products). ASPG is also developing a multi-platform security administration and reporting tool. ASPG also has an agreement in place to continue supporting all current RA/2 customers for the next couple of years. See "Permanently Interesting Products" for contact info.
See also other products under "Interesting Product" below.
Fifteen Minute Project to Improve Your RACF Ask your JES system programmer for a list of all the NJE and RJE connections into your computer, and the physical location of each. Each of these represents a path into your system through which four things can enter: batch jobs to be executed, operator commands, printouts to be printed, and punched decks to be punched. Conduct your own risk assessment (for example, would we have a problem if someone at another site submitted a batch job or an operator command to execute on our system? What do we have to protect against it (for example BATCHALLRACF)? How much can we trust the other site? Is it connected by a leased or dial-up line?) Where needed, use resource classes such as those described in the Golf Shirt contest described on page 1, and consider using FACILITY class rules to force the sites to log on through RACF.
Questions and Answers
SR USER(USER02) NOMASK CLASS(DATASET)
(Yes, we know that the default for CLASS is DATASET, but we show it here, so that readers will be ready for the next question, which we have invented, just to make a point.) Please note that this command could affect system performance, since it results in a call to RACF for every dataset rule in the RACF database.
SR USER(USER02) NOMASK CLASS(FACILITY)
NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS
NYRUG: At Our Next Meeting
Mark Nelson of IBM will speak on a topic which will be something like "Secrets of the RACF Wizards: or How to Take Advantage of Under-Used and Under-Appreciated RACF Facilities to Make Your Life as an Administrator Easier". If you want to learn tricks with the SEARCH command, and other ways to be cleverly lazy, then don't miss this goldmine of little known secret techniques. If time permits, Stu Henderson may describe how to prepare to use the Mainframe Firewall tool, a follow-on to his recent "What Mainframers Need to Know and Do About TCP/IP". As always, we will have a question and answer session with some of the keenest RACF minds in the State to answer questions
Time: Wednesday, January 13, 1999 from 1PM until it's too late to go back to the office.
Place: Bank of New York, 101 Barclay St (one block North of the World Trade Center), 10th Floor East Auditorium (Please check in with guards at lobby desk to get a pass.)
BWRUG (Baltimore/Washington RUG):
The BWRUG will not meet this quarter. Please mark your calenders for April 15, 1999. We expect to have a presentation then on the new features of the latest release of RACF.
Interesting Products Column
We have not evaluated these, but think every RACF shop should know about them.
Permanently Interesting Products Column
We have not evaluated these, but think every RACF shop should know about them.
HG RACF and Security Training 1998 Schedule:
The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog.
1) HG04 Effective RACF Administration (formerly called How to Implement and Administer RACF Effectively) ($1695) Feb. 22-26, 1999 in Clearwater, FL May 17-21, 1999 in Atlanta, GA Sept.27-Oct. 1, 1999 in New York City Nov. 15-19, 1999 in Washington, DC Feb. 21-25, 2000 in Clearwater, FL 2) HG05 Advanced RACF Administration ($850) June 21-22, 1999 in Denver, CO Sept. 21-22, 1999 in Washington, DC 3) HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) (covers CICS, VTAM, DB2, JES, and other security along with MVS security, SAF, and OS/390) ($1150) Mar. 1-3, 1999 in Clearwater, FL June 16-18, 1999 in Atlanta, GA Oct. 18-20, 1999 in Washington, DC 4) HG40 Mastering Windows NT Security ($850) June 23-24, 1999 in Denver, CO [This course will expand to 3 days in the second half of 1999.] RACF User Services (Key Phone Numbers / Addresses)
RACF User Services (Key Phone Numbers / Addresses)
RACF List Server on the Internet
To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:
subscribe racf-l john smith
to the address: LISTSERV@uga.cc.uga.edu or LISTSERV@UGA.BITNET
The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.
Other Internet places: