RACF Users' News # 56

March, 2001 Newsletter

Issue No. 56

RACF (part of OS/390 Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.

Texas RACF Users Group Going Strong Under New President

Carolyn Hopkins is the new TRUG President. To join or get more info, call her at (713) 831-8010. Tell her W says Hello.

To Get a Free Subscription to this Newsletter

Phone Stu at (301) 229-7187 with your request, leaving your name, postal address, and phone. For back issues, check his website: the Henderson Group at: http://www.stuhenderson.com 

No RACF User News in June

We have gone to a three-issues per year schedule. Next issue will be in September, 2001. Have a great summer!

NEW YORK RUG Meeting Dates

Tuesday, April 3, 2001 from 1 to 5PM. Mark your calendars now. See inside for details. The meeting after that will be in October, probably on a Tuesday.


Monday, April 2, 2001 from 1 to 5PM. Mark your calendars now. See inside for details. The meeting after that will be in October, probably on a Monday.


Here's a Neat New Source of RACF Info

Several IBMers have placed the handouts from various presentations they make on the web. You can check them out at: http://www.ibm.com/s390/racf/presentations.html 

The next big Vanguard Conference

will be in Reno, June 3-8, 2001. For contact info, please see page 7.

IBM Secureworld Security Conference

will be held August 27-31 at the Marriott Wardman hotel in Washington, DC.

Correction to Comments on TSOAUTH Class

Last issue under the Fifteen Minute Project, we misstated the purpose of the rule named RECOVER in the TSOAUTH resource class. Alert reader Russell West was kind enough to point out that this rule represents the ability to do a TSO recovery, that is the ability to salvage a user's TSO address space, for example when your terminal gets disconnected and you want to reconnect. Thanks Russell.

How Do I "Hard-Revoke" a Userid When I Don't Have Third Party Software?

If you don't want the risk of a fired employee's userid being resumed inadvertantly, if you have a third party product like Beta-88, Vanguard, CONSUL, or RA-2, you can hard-revoke the userid. If you don't, here are some suggestions:


As we start to make greater use of encryption, we will need to be absolutely certain that no one can learn the encryption keys, especially the keys used to prove the identity of our server, and to support SSL over the Internet. These FACILITY class rules control the ability to get dumps of memory containing controlled programs and memory for address spaces which contain tasks executing with protect keys lower than 8. You will also want to use dataset rules named SYS1.DUMP%% with a UACC of NONE. See the IBM manual: RACF Security Administrators Guide.

So What Should I Expect When We Convert from OS/390 to z/OS?

Q: Will they have to break down the wall of the data center to bring in the new hardware?

A: No, it runs in the same boxes as before.

Q: Will they then have to put in new circuit boards in the CPU box?

A: No, they just put in new microcode. This is the logic which tells the circuit boards how to execute individual instructions (that is, instructions at the level of LOAD REGISTER and MOVE CHARACTERS).

Q: Is my vast knowledge of JCL, RACF, MVS, and CICS now obsolete?

A: No, these all stay the same. New features may introduce new operands, but it won't be more difficult than the upgrade to OS/390.

Q: So, what's the big deal with z/OS?

A: It gives you more power, more up-time, more flexibility,5 and greater ability to connect over networks. (Did we mention that RACF already gives us great security over USS, TCP/IP, and the Websphere web server?) It also give us 64-bit addressing, which means that the highest number we can address in memory is much, much bigger than before. z/OS still supports 31-bit and 24- bit addressing; it just gives us the option of 64-bit addressing too.

Q: When the name z/OS comes as the first word in a sentence, should we make the z be upper case or lower case?

A: IBM is aware of this problem and has their very best people working on it.

Q: I'm an Assembler Language Programmer, so what does this mean to me? Many control blocks will have changed formats to accommodate 64-bit addressing. However, this should cause no problem for anyone, since we have all stopped using programs which rely on the layout of control blocks which IBM says are not part of the standard programming interface. We all learned our lesson when we converted to MVS/XA (which is when we first were able to use 31-bit addressing).

Note that the PSW (Program Status Word) can now be 16 bytes long instead of 8, and the reserved addresses in low memory now can take 8K instead of 4K. Previous Assembler Language instructions work the same, but some have additional versions to support 64-bit addressing (often marked by adding a G to the instruction name). For example, we have always used the A instruction to add a fullword to a register, and AH to add a half-word (two bytes) to a register. With 64-bit addressing, we now have the instruction AG to add two words (64-bits) to a register. Registers are now 64 bits wide. However, they look the same, since we ignore the leftmost 32 bits except when we are in 64- bit mode. This means that the right-most 32 bits of each register are used anytime we are in 24 or 31-bit addressing mode, just as if it were a regular old 32 bit register.

Interesting Products

We haven't evaluated these, but believe that every RACFer should know of them.

Fifteen Minute Project to Improve Your RACF

Review your SETROPTS options for datasets. The following are considered by many knowledgeable people to be essential for effective security: