RACF (part of OS/390 Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.
Texas RACF Users Group Going Strong Under New President
Carolyn Hopkins is the new TRUG President. To join or get more info, call her at (713) 831-8010. Tell her W says Hello.
To Get a Free Subscription to this Newsletter
Phone Stu at (301) 229-7187 with your request, leaving your name, postal address, and phone. For back issues, check his website: the Henderson Group at: http://www.stuhenderson.com
No RACF User News in June
We have gone to a three-issues per year schedule. Next issue will be in September, 2001. Have a great summer!
NEW YORK RUG Meeting Dates
Tuesday, April 3, 2001 from 1 to 5PM. Mark your calendars now. See inside for details. The meeting after that will be in October, probably on a Tuesday.
BALTIMORE/WASHINGTON RUG Meeting Dates
Monday, April 2, 2001 from 1 to 5PM. Mark your calendars now. See inside for details. The meeting after that will be in October, probably on a Monday.
Here's a Neat New Source of RACF Info
Several IBMers have placed the handouts from various presentations they make on the web. You can check them out at: http://www.ibm.com/s390/racf/presentations.html
The next big Vanguard Conference
will be in Reno, June 3-8, 2001. For contact info, please see page 7.
IBM Secureworld Security Conference
will be held August 27-31 at the Marriott Wardman hotel in Washington, DC.
Correction to Comments on TSOAUTH Class
Last issue under the Fifteen Minute Project, we misstated the purpose of the rule named RECOVER in the TSOAUTH resource class. Alert reader Russell West was kind enough to point out that this rule represents the ability to do a TSO recovery, that is the ability to salvage a user's TSO address space, for example when your terminal gets disconnected and you want to reconnect. Thanks Russell.
How Do I "Hard-Revoke" a Userid When I Don't Have Third Party Software?
If you don't want the risk of a fired employee's userid being resumed inadvertantly, if you have a third party product like Beta-88, Vanguard, CONSUL, or RA-2, you can hard-revoke the userid. If you don't, here are some suggestions:
Why Would I Use the FACILITY Class Rules Named IEAABD.DUMPAUTH and IEAABD.DMPAUTH?
As we start to make greater use of encryption, we will need to be absolutely certain that no one can learn the encryption keys, especially the keys used to prove the identity of our server, and to support SSL over the Internet. These FACILITY class rules control the ability to get dumps of memory containing controlled programs and memory for address spaces which contain tasks executing with protect keys lower than 8. You will also want to use dataset rules named SYS1.DUMP%% with a UACC of NONE. See the IBM manual: RACF Security Administrators Guide.
So What Should I Expect When We Convert from OS/390 to z/OS?
Q: Will they have to break down the wall of the data center to bring in the new hardware?
A: No, it runs in the same boxes as before.
Q: Will they then have to put in new circuit boards in the CPU box?
A: No, they just put in new microcode. This is the logic which tells the circuit boards how to execute individual instructions (that is, instructions at the level of LOAD REGISTER and MOVE CHARACTERS).
Q: Is my vast knowledge of JCL, RACF, MVS, and CICS now obsolete?
A: No, these all stay the same. New features may introduce new operands, but it won't be more difficult than the upgrade to OS/390.
Q: So, what's the big deal with z/OS?
A: It gives you more power, more up-time, more flexibility,5 and greater ability to connect over networks. (Did we mention that RACF already gives us great security over USS, TCP/IP, and the Websphere web server?) It also give us 64-bit addressing, which means that the highest number we can address in memory is much, much bigger than before. z/OS still supports 31-bit and 24- bit addressing; it just gives us the option of 64-bit addressing too.
Q: When the name z/OS comes as the first word in a sentence, should we make the z be upper case or lower case?
A: IBM is aware of this problem and has their very best people working on it.
Q: I'm an Assembler Language Programmer, so what does this mean to me? Many control blocks will have changed formats to accommodate 64-bit addressing. However, this should cause no problem for anyone, since we have all stopped using programs which rely on the layout of control blocks which IBM says are not part of the standard programming interface. We all learned our lesson when we converted to MVS/XA (which is when we first were able to use 31-bit addressing).
Note that the PSW (Program Status Word) can now be 16 bytes long instead of 8, and the reserved addresses in low memory now can take 8K instead of 4K. Previous Assembler Language instructions work the same, but some have additional versions to support 64-bit addressing (often marked by adding a G to the instruction name). For example, we have always used the A instruction to add a fullword to a register, and AH to add a half-word (two bytes) to a register. With 64-bit addressing, we now have the instruction AG to add two words (64-bits) to a register. Registers are now 64 bits wide. However, they look the same, since we ignore the leftmost 32 bits except when we are in 64- bit mode. This means that the right-most 32 bits of each register are used anytime we are in 24 or 31-bit addressing mode, just as if it were a regular old 32 bit register.
We haven't evaluated these, but believe that every RACFer should know of them.
Fifteen Minute Project to Improve Your RACF
Review your SETROPTS options for datasets. The following are considered by many knowledgeable people to be essential for effective security:
Note that the way options are described in SETR LIST output often uses completely different words from the words you use in setting the options. For example, SETR TAPEDSN results in a listing describing TAPE DATASET PROTECTION IS ACTIVE. Other discrepancies are so egregious that we can't print them in a family publication. Just laugh when you see them, and think "IBM can't fool me."
NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS
NYRUG: At Our Next Meeting
Our next meeting will be hosted by Vanguard Integrity Professionals, which is also providing members with a free, pre-meeting lunch and product demonstration. Vanguard's product presentation precedes and is completely separate from our regular meeting. The product presentation will describe QS/390 and other VIP products. Our speaker will be: Phil Emrich of Vanguard on "RACF Security for MQ Series on OS/390". As always, we will have a question and answer session with some of the keenest RACF minds in the State to answer questions.
Time: Tuesday, April 3, 2001. The lunch and product presentation will begin at noon. The regular meeting starts at 1PM until it's too late to go back to the office.
Place: The Holiday Inn at 440 West 57th Street in Manhattan, phone (212) 581-8100. Lunch is in the restaurant, the meeting is in the Renaissance A room.
BWRUG (Baltimore/Washington RUG):
Our next meeting will be hosted by Vanguard Integrity Professionals, which is also providing members with a free, pre-meeting lunch and product demonstration. Vanguard's product presentation preceeds and is completely separate from our regular meeting. The product presentation will describe QS/390 and other VIP products. At the regular meeting, our speaker will be: Phil Emrich of VIP on RACF and CICS. Phil will describe the new security facilities recently added to CICS Transaction Server for OS/390. He will also explain Security for CICS and the Web. As always, we will have a question and answer session with some of the keenest RACF minds in the Capital area to answer questions
Time: Monday, April 2, 2001. The regular meeting will be from 1PM to 5PM, and the free lunch and product demo will be from noon to 1PM.
Place: Marriott Residence Inn at 7335 Wisconsin Ave in Bethesda, MD, phone (301) 718-0200. This is at the Bethesda stop of the RED LINE of the Metro (which goes quickly to Union Station for MARC and Amtrak riders). By car: Take the beltway I495 to Exit 34 (Wisconsin Ave.) This is NW of DC, near where I270 joins I495. Take Wisconsin Ave South (aka Route 355 South) about 2.5 miles. Watch for the Hyatt/Bethesda Metro on the right. Just past the Hyatt, take the next left onto Montgomery Avenue. Go one block and take the first right onto Waverly Avenue. Waverly wraps around to the front of the hotel where there is valet parking.
What Comes After Kilobyte and Megabyte?
Since z/OS has 64 bit addressing, we need to learn some new words for big big amounts of memory. Here they are:
====> Note that 2 raised to the 64th power is 16E, that is 16 exabytes.
Permanently Interesting Products Column
We have not evaluated these, but think every RACF shop should know about them.
HG RACF and Security Training Schedule:
The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog. To see what students say about these classes, please go to www.stuhenderson.com . 1) HG04 Effective RACF Administration ($1795) May 7-11, 2001 in Atlanta, GA Sept.10-14, 2001 in New York City Nov. 5-9, 2001 in Clearwater, FL 2) HG05 Advanced RACF Administration ($1185) Mar. 28-30, 2001 in Clearwater, FL Oct. 17-19, 2001 in Atlanta, GA 3) HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) (covers CICS, VTAM, DB2, JES, and other security along with MVS security, SAF, and OS/390) ($1190) May 16-18, 2001 in Atlanta, GA Sept. 5-7, 2001 in New York City 4) HG40 Mastering Windows 2000 (NT) Security (Windows 2000 is the new name for Windows NT Release 5, or NT5; this class covers NT4 security as well as Windows 2000 security) ($1195) Apl. 25-27, 2001 in Bethesda, MD (near Washington, DC) Sept. 19-21, 2001 in New York City
RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)
RACF List Server on the Internet
To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:
subscribe racf-l john smith
to the address: email@example.com
The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.
The RACF User News is published three times a year (December, March, and September) to share information about RACF. All information in it is offered on an "as is" basis, and should be used at your own risk, and with your own testing.
For Back Issues of this Newsletter and Links to Several Useful Web Sites check the Henderson Group website at: www.stuhenderson.com
Other Internet places:
Copyright ©: 2001, Stuart C. Henderson
Revised - March 18, 2001