RACF Users' News # 55

Dec., 2000 Newsletter

Issue No. 55

RACF (part of OS/390 Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.

South Florida RACF Users Group Starts Up

If you want to join (or help support), contact Katherine Ramos at (305) 995-3835 or kramos@oit.dade.k12.fl.us. The next meeting is first Wednesday of February, 2001. The topic will be LDAP.

To Get a Free Subscription to this Newsletter

Phone Stu at (301) 229-7187 with your request, leaving your name, postal address, and phone. For back issues, check his website: the Henderson Group at: http://www.stuhenderson.com 

Ho-hum, Another Name Change for IBM Software

The follow-on operating system to OS/390 is called z/OS. (The "z" stands for "zero downtime".) This is truly a new operating system (it supports 64-bit addressing), but everything you know about RACF and OS/390 is still true for z/OS. JCL is still JCL, and CICS is still whatever they call it this week. The latest name change makes you think of a bad movie actor with a bad French accent: "It's time now to make a change to zee o/s".)

The next big Vanguard Conference

will be in Reno, June 3-8, 2001.

NEW YORK RUG Meeting Dates

Tuesday, January 30 from 1 to 5PM. Mark your calendars now. See inside for details. The meeting after that will be in April, probably on a Tuesday.


The BWRUG will not meet in January. Our next meeting will be in April, likely on a Monday from 1 to 5PM. Mark your calendars now. See inside for details. -------------------------------------------

Article Describes New SERVAUTH Resource Class

See for yourself at the Henderson Group at: http://www.stuhenderson.com  and click on Articles.

How to Get a Free Weekend Vacation and Help Your Company Save Money

Airlines often offer significantly lower airfares if you stay over a Saturday night. The savings is often greater than the extra nights' hotel cost. So if you are going to a seminar in, for example, Florida, then get the numbers and see how much you can save your company. Say to your boss, "Boss, I'm willing to give up of my own personal time, sitting alone in a hotel room, doing company work on a weekend, if it'll save the company money. Here's how much I can save the company this way. Would you like me to make this sacrifice?." For a Monday to Friday seminar, you could sacifice either the weekend before or after.

Different Ways to Identify a User (Besides the Userid) (And How RACF Links Them all Together)

Users can be identified by several different types of name. The one we like the most of course is the RACF userid. But other software packages can have other names for users. These packages include: UNIX, DCE, NDS (Novell Directory Services), Lotus Notes (Domino), and Kerberos. RACF provides translation in both directions between RACF userids and the names these software packages use. IBM calls this translation "Application Identity Mapping".

RACF uses segments of the user and group records to translate from RACF to the other software. It uses new resource classes to tranlate back from the other software's name to the RACF userid. These classes include UNIXMAP, NDSLINK, NOTELINK, and DCEUUIDS.

In Release 2.10 of RACF, the RACF database is re-organized to provide a more efficient means of supporting this translation back to RACF userids. (Learn more about this in the last issue of this newsletter.)

Let's talk first about the what UNIX calls a user.


UNIX users are identified by a number called the UID (short for "user identifier"). With OMVS (UNIX on the mainframe, aka USS), users are identified both by the RACF userid and by the UNIX UID. We will show you shortly what this looks like.

For now, please note that RACF provides automatic translation between RACF userid and UNIX UID. It does this by means of an OMVS segment associated with the user record in the RACF database. The OMVS segment contains the UID for that RACF user. When OMVS needs to ask RACF "What is the UID associated with userid GEORGE?", RACF reads the OMVS segment for user GEORGE. RACF then passes the UID from that segment as the answer back to OMVS.

In a similar fashion, UNIX identifies groups of users by a numeric GID. RACF tranlates RACF group names to GIDs by means of an OMVS segment to the group record in the RACF database.

Other software packages use yet different names for users: DCE calls a user by her UUID; Lotus Notes by her SNAME; NDS by her UNAME.

What do you think happens when UNIX turns to RACF and asks "What RACF userid corresponds to this UID?"? Before RACF 2.10, RACF used a new resource class named UNIXMAP, which was indexed by UID, and which contained the RACF userid. The UNIXMAP resource class also provided this reverse translation between UNIX GIDs and RACF group names. Other software packages use other resource classes (for example, DCE uses the DCEUUIDS class) for this reverse translation.

With RACF 2.10, IBM added a new "alias" index structure to the RACF database. (You need to run the IRRIRA00 for Internal Reorganization of Aliases. Please add this to your to-do list if you haven't addressed it yet. Please discuss it over lunch with your sysprog this week.) This IRA stores the reverse mapping information in the index of the RACF database for UNIX, NDS, and Lotus Notes. Once you use the IRA, the reverse mapping resource classes for these software packages become obsolete.

Other software packages (like DCE) still use resource classes (like DCEUUIDS) to support the reverse mapping.

For other software packages, RACF has similar resource classes to provide the reverse name mapping.

Here is a summary of names other software packages use, and the RACF segment used to translate them.

                  Name It Calls    Where RACF Stores       How RACF Translates
                  Calls a User     the Name                the Name Back to a
Software           (or Group)      (Record / Segment       Userid [RACF 2.10
Package               By           in the RACF Database)   IRA in brackets]
--------          -------------    ---------------------   -------------------

OMVS (aka USS)    UID (numeric )   User / OMVS              UNIXMAP class [IRA]

OMVS (aka USS)    (group, not      Group / OMVS
                  user)                                     UNIXMAP class [IRA]
                  (also numeric)                    

DCE               UUID             User / DCE               DCEUUIDS [DCEUUIDS]

NDS (Novell
Directory         UNAME            User / NDS               NDSLINK [IRA]

Lotus Notes       SNAME            User / LNOTES            NOTELINK [IRA]
(Domino)          (shortname)

Kerberos          KERBNAME         User / KERB              KERBLINK [KERBLINK]

Watch for This Virus

If you have a video camera attached to your PC which is attached to the Internet, then here is a possible risk: We understand that knowledgeable people are concerned about a new virus which turns on your camera and sends what it sees to some other site. Sort of "ET phone home" for video.

Great New Source for Free RACF Administrative and Audit Software

Want software for RACF audits, to issue RACF commands from within UNIX, to cleanup password histories in user records, to generate automatic commands to make two RACF databases look alike? Then go to http://www.s390.ibm.com/products/racf/goodies.html  and help yourself. These make great Christmas stocking stuffers, and they're free!

Follow-Up to Comment on OMVS and SPECIAL

In an earlier issue we suggested that you do not want to have any SPECIAL userids with an OMVS segment. Several alert readers have asked why, and we should have answered the question before it got asked. [Attention: if you are wearing a black hat, please stop reading this instant and skip to the next article.] So with our apologies, here is the reasoning: Any user who is permitted to the FACILITY class rule named BPX.DAEMON is able to take on the MVS identity (in UNIX) of any UID he wants. (If BPX.DAEMON is not defined, then all he would need is UID of zero.) This would make it possible for him then to take on the identity in RACF of any user who has a valid UID, including SPECIAL users. (By "take on the identity", we mean get a new ACEE control block for the address space.)

This is made possible by means of a UNIX Assembler Callable Service named setuid. This is only allowed if the userid whose identity you want to assume has a valid UID. This callable service includes several additional protections (for example, the program must be a controlled program), but these are so complex, and so difficult to verify, that you are better off keeping life simple and never giving a UID to any SPECIAL userid.

What would be the risk of a user assuming the identity of a SPECIAL userid? Another UNIX callable service lets programs in USS perform certain RACF administrative functions. The two callable services make it possible for someone to assume a SPECIAL userid's identity and then perform malicious RACF administration.

A Tip From Walt Farrell

Regular members of the RACF List Server (see the last page of this issue for details) will recognize a common posting: someone asks a question along the lines of "What is such and such a rule in the FACILITY class used for?" Walt's standard suggestion is to search using the OS/390 library on the Internet at http://www.ibm.com/s390/os390/bkserv/  Select for example, the OS/390 V2R10 books, select the option to search the text of all books on the bookshelf, and then enter a search on the phrase (or rule name) in question. This is a great tool and a great suggestion. Thanks, Walt. -------------------------------------------

Interesting Products

We have not evaluated these, but believe that every RACF shop should know about them:

Fifteen Minute Project to Improve Your RACF

Review use of the TSOAUTH resource class:

  1. Check the DSMON Class Descriptor Table report to see whether: TSOAUTH is ACTIVE, and has AUDIT turned on. (This AUDIT switch tells RACF to log all changes to rules in this class. You this switch active for every resource class.)
  2. List all the rules in the class by issuing RL TSOAUTH * ALL.
  3. See if the following rules exist and have appropriate permit lists and UACCS:
  4. See who is the "owner" of this class, and what the written approvals say.

NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS

NYRUG: At Our Next Meeting

Our next meeting will be hosted by the Bank of New York. Our featured speaker will be Paul de Graaff of IBM. (You've seen his name as the author of some of the best Red Books ever.) Paul will speak on how to secure the Websphere software, which connects your mainframe to the Internet. We hope to have other speakers on mainframe/Internet security. If your customers are talking to your mainframe with Netscape (or Internet Explorer) on their PCs, Websphere is the mainframe software Netscape is talking to. You will want to learn how RACF and OMVS security are used to secure this path into your system. You might prepare for the meeting by finding out whether your organization uses Websphere or plans to. As always, we will have a Q and A session with some of the keenest RACF minds in the State to answer questions.

Time: Tuesday, January 30, 2001 from 1PM until it's too late to go back to the office.

Place: The Bank of New York, but not at our usual location: 1 Wall Street on the 47th Floor


BWRUG (Baltimore/Washington RUG):

We will not meet in January. See you in April.

Permanently Interesting Products Column

We have not evaluated these, but think every RACF shop should know about them.

HG RACF and Security Training Schedule (Includes 2001 Dates):

         The Henderson Group offers its RACF and computer security/audit seminars around the
country and on-site too.  See the details below or call (301) 229-7187 for a free seminar catalog.  
To see what students say about these classes, please go to 
www.stuhenderson.com .

  1)     HG04 Effective RACF Administration ($1795)  

                  Feb. 19-23,      2001 in Clearwater, FL
                  May  7-11,       2001 in Atlanta, GA   
                  Sept.10-14,      2001 in New York City 
                  Nov. 5-9,        2001 in Clearwater, FL

  2)     HG05 Advanced RACF Administration  ($1185)                             

                  Mar. 28-30,      2001 in Clearwater, FL
                  Oct. 17-19,      2001 in Atlanta, GA   

  3)     HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) (covers CICS,
         VTAM, DB2, JES, and other security along with MVS security, SAF, and OS/390)

                  Feb. 14-16,      2001 in Clearwater, FL
                  May  16-18,      2001 in Atlanta, GA   
                  Sept. 5-7,       2001 in New York City 

  4)     HG40 Mastering Windows 2000 (NT) Security   (Windows 2000 is the new name for
         Windows NT Release 5, or NT5; this class covers NT4 security as well as Windows
         2000 security) ($1195)             

                  Apl.  25-27,     2001 in Bethesda, MD (near Washington, DC)
                  Sept. 19-21,     2001 in New York City                     

RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)

RACF List Server on the Internet

To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:

subscribe racf-l john smith

to the address: listserv@listserv.uga.edu

The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.

The RACF User News is published three times a year (December, March, and September) to share information about RACF. All information in it is offered on an "as is" basis, and should be used at your own risk, and with your own testing.

For Back Issues of this Newsletter and Links to Several Useful Web Sites check the Henderson Group website at: www.stuhenderson.com

Other Internet places:

Stuart Henderson
(301) 229-7187
5702 Newington Road Bethesda, MD 20816-1282

Copyright ©: 2000, Stuart C. Henderson
Revised - Dec. 30, 2000