[SA22-7683-12] [V1R10] zOS - Security Server RACF Security Administrator's Guide

z/OS

Security Server RACF Security Administrators Guide

SA22-7683-12

z/OS

Security Server RACF Security Administrators Guide

SA22-7683-12

Note Before using this information and the product it supports, be sure to read the general information under Notices on page 743.

Thirteenth edition, September 2008 This is a major revision of SA22-7683-11. This edition applies to Version 1 Release 10 of z/OS (5694-A01) and to all subsequent releases and modifications until otherwise indicated in new editions. IBM welcomes your comments. A form for readers comments may be provided at the back of this document, or you may address your comments to the following address: International Business Machines Corporation MHVRCFS, Mail Station P181 2455 South Road Poughkeepsie, NY 12601-5400 United States of America FAX (United States & Canada): 1+845+432-9405 FAX (Other Countries): Your International Access Code +1+845+432-9405 IBMLink (United States customers only): IBMUSM10(MHVRCFS) Internet e-mail: [email protected] World Wide Web: http://www.ibm.com/systems/z/os/zos/webqs.html If you would like a reply, be sure to include your name, address, telephone number, or FAX number. Make sure to include the following in your comment or note: v Title and order number of this document v Page number or topic related to your comment When you send information to IBM, you grant IBM a nonexclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you. Copyright International Business Machines Corporation 1994, 2008. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

ContentsFigures . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi About this document . . . . . . Who should use this document . . . How to use this document . . . . . Where to find more information . . . Softcopy publications . . . . . . RACF courses . . . . . . . . IBM systems center publications . . . Other sources of information . . . . IBM discussion areas . . . . . . Internet sources . . . . . . . . To request copies of IBM publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii . xxiii . xxiii . xxiii . xxiii . xxiv . xxiv . xxv . xxv . xxv . xxvi

Summary of changes . . . . . . . . . . . . . . . . . . . . . xxvii Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . How RACF Meets Security Needs . . . . . . . . . . . . . . . . . User Identification and Verification . . . . . . . . . . . . . . . . Authorization Checking . . . . . . . . . . . . . . . . . . . . Logging and Reporting . . . . . . . . . . . . . . . . . . . . User Accountability . . . . . . . . . . . . . . . . . . . . . . Flexibility . . . . . . . . . . . . . . . . . . . . . . . . . RACF Transparency . . . . . . . . . . . . . . . . . . . . . Implementing Multilevel Security . . . . . . . . . . . . . . . . Multilevel Security . . . . . . . . . . . . . . . . . . . . . . . Characteristics of a Multilevel-Secure Environment . . . . . . . . . . Administering Security . . . . . . . . . . . . . . . . . . . . . Delegating Administration Tasks . . . . . . . . . . . . . . . . Administering Security When a z/VM System Shares the RACF Database Using RACF Commands or Panels . . . . . . . . . . . . . . . RACF Group and User Structure . . . . . . . . . . . . . . . . . Defining Users and Groups . . . . . . . . . . . . . . . . . . Protecting Resources . . . . . . . . . . . . . . . . . . . . Security Classification of Users and Data . . . . . . . . . . . . . Selecting RACF Options . . . . . . . . . . . . . . . . . . . Using RACF Installation Exits to Customize RACF . . . . . . . . . . . The RACROUTE REQUEST=VERIFY, VERIFYX, AUTH, and DEFINE exits The RACROUTE REQUEST=LIST exits . . . . . . . . . . . . . The RACROUTE REQUEST=FASTAUTH exits . . . . . . . . . . . The RACF command exits . . . . . . . . . . . . . . . . . . The RACF password processing exits . . . . . . . . . . . . . . The RACF password authentication exits . . . . . . . . . . . . . Tools for the Security Administrator . . . . . . . . . . . . . . . . Using RACF utilities . . . . . . . . . . . . . . . . . . . . . RACF block update command (BLKUPD) . . . . . . . . . . . . . Using the RACF report writer. . . . . . . . . . . . . . . . . . Using the data security monitor . . . . . . . . . . . . . . . . . Recording statistics in RACF profiles . . . . . . . . . . . . . . . Listing information from RACF profiles . . . . . . . . . . . . . . Searching for RACF profile names. . . . . . . . . . . . . . . . Copyright IBM Corp. 1994, 2008

. 1 . 2 . 2 . 3 . 4 . 5 . 9 . 10 . 10 . 10 . 11 . 12 . 12 13 . 13 . 15 . 16 . 20 . 23 . 24 . 24 24 . 24 . 24 . 25 . 25 . 25 . 25 . 26 . 28 . 28 . 28 . 29 . 29 . 31

iii

Using the LIST and SEARCH commands effectively . . . . . . . . . . 32 Chapter 2. Organizing for RACF Implementation . . . . Ensuring Management Commitment . . . . . . . . . . Selecting the Security Implementation Team . . . . . . . Responsibilities of the Implementation Team . . . . . . Defining Security Objectives and Preparing the Implementation Deciding What to Protect . . . . . . . . . . . . . . Protecting Existing Data . . . . . . . . . . . . . Protecting New Data . . . . . . . . . . . . . . . Allowing a Warning Period. . . . . . . . . . . . . Establishing Ownership Structures . . . . . . . . . . . Selecting User IDs and Group Names . . . . . . . . Establishing Your RACF Group Structure . . . . . . . Educating the System Users . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . Chapter 3. Defining Groups and Users . . . . . . . . Defining RACF Groups . . . . . . . . . . . . . . . Types of Groups . . . . . . . . . . . . . . . . Group Profiles . . . . . . . . . . . . . . . . . Defining Large Groups with the UNIVERSAL Attribute . . Group Naming Conventions . . . . . . . . . . . . Benefits of Using RACF Groups . . . . . . . . . . Group Ownership and Levels of Group Authority . . . . Summary of Steps for Defining a RACF Group . . . . . . Summary of Steps for Deleting Groups . . . . . . . . . Defining Users . . . . . . . . . . . . . . . . . . User Profiles . . . . . . . . . . . . . . . . . . User Naming Conventions . . . . . . . . . . . . . Suggestions for Defining User IDs . . . . . . . . . . Ownership of a RACF User Profile . . . . . . . . . User Attributes . . . . . . . . . . . . . . . . . User Attributes at the Group Level . . . . . . . . . . Suggestions for Assigning User Attributes . . . . . . . Verifying User Attributes . . . . . . . . . . . . . Default Universal Access Authority (UACC) . . . . . . Assigning Security Categories, Levels, and Labels to Users Limiting When a User Can Access the System . . . . . Defining Protected User IDs . . . . . . . . . . . . Defining restricted user IDs . . . . . . . . . . . . Assigning password phrases . . . . . . . . . . . . Summary of Steps for Defining Users . . . . . . . . . Summary of Steps for Deleting Users . . . . . . . . . General Considerations for User ID Delegation . . . . . . Chapter 4. Classifying Users and Data . . . . . . Security Classification of Users and Data . . . . . . Effect On RACF Authorization Checking . . . . . Understanding Security Levels and Security Categories . CATEGORY and SECLEVEL Information in Profiles . Converting from LEVEL to SECLEVEL . . . . . . Deleting UNKNOWN Categories . . . . . . . . Maintaining Categories in an RRSF Environment . . Understanding Security Labels . . . . . . . . . Comparing Security Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 35 36 36 37 37 38 38 40 41 41 42 44 46 49 50 50 52 54 55 55 57 59 60 61 62 73 73 74 74 80 84 85 85 85 86 87 88 89 91 93 95

. 97 . 97 . 98 . 99 . 100 . 100 . 100 . 100 . 101 . 101

iv

z/OS V1R10.0 Security Server RACF Security Administrators Guide

Considerations Related to Security Labels . . . . How Users Specify Current Security Labels . . . . Listing Security Labels . . . . . . . . . . . Finding Out Which Security Labels a User Can Use . Searching by Security Labels . . . . . . . . . Restricting Security Label Changes . . . . . . . Requiring Security Labels . . . . . . . . . . Controlling the Writedown Privilege . . . . . . Planning Considerations for Security Labels . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

102 103 104 104 104 105 105 105 106 109 110 111 112 113 113 114 115 116 117 117 119 120 120 122 123 124 124 125 126 126 127 127 127 128 128 129 130 131 131 133 136 136 137 137 138 138 138 139 139 140 140 141

Chapter 5. Specifying RACF Options . . . . . . . . . . . . . . . Using the SETROPTS Command . . . . . . . . . . . . . . . . . . SETROPTS Options for Initial Setup . . . . . . . . . . . . . . . . Allowing Mixed-Case Passwords (PASSWORD Option) . . . . . . . . Establishing Password Syntax Rules (PASSWORD Option) . . . . . . . Setting the Maximum and Minimum Change Interval (PASSWORD Option) Extending Password and User ID Processing (PASSWORD Option) . . . . Revoking Unused User IDs (INACTIVE Option) . . . . . . . . . . . Activating List-of-Groups Checking (GRPLIST Option) . . . . . . . . . Setting the RVARY Passwords (RVARYPW Option) . . . . . . . . . . Restricting the Creation of General Resource Profiles (GENERICOWNER Option) . . . . . . . . . . . . . . . . . . . . . . . . . Activating General Resource Classes (CLASSACT Option) . . . . . . . Activating Generic Profile Checking and Generic Command Processing Activating Statistics Collection (STATISTICS Option). . . . . . . . . . Activating Global Access Checking (GLOBAL Option) . . . . . . . . . RACF-Protecting All Data Sets (PROTECTALL Option) . . . . . . . . . Activating JES2 or JES3 RACF Support . . . . . . . . . . . . . . Preventing Access to Uncataloged Data Sets (CATDSNS Option) . . . . . Activating Enhanced Generic Naming for the DATASET Class (EGN Option) Controlling Data Set Modeling (MODEL Option) . . . . . . . . . . . Bypassing Automatic Data Set Protection (NOADSP Option) . . . . . . Displaying and Logging Real Data Set Names (REALDSN Option) . . . . Protecting Data Sets with Single-Qualifier Names (PREFIX Option) . . . . Activating Tape Data Set Protection (TAPEDSN Option) . . . . . . . . Activating Tape Volume Protection (TAPEVOL Option) . . . . . . . . . Establishing a Security Retention Period for Tape Data Sets (RETPD Option) . . . . . . . . . . . . . . . . . . . . . . . . . Erasing Scratched or Released Data (ERASE Option) . . . . . . . . . Establishing National Language Defaults (LANGUAGE Option) . . . . . . SETROPTS Options to Activate In-Storage Profile Processing . . . . . . . SETROPTS GENLIST Processing . . . . . . . . . . . . . . . . SETROPTS RACLIST Processing . . . . . . . . . . . . . . . . SETROPTS REFRESH Option for Special Cases . . . . . . . . . . . . Refreshing In-Storage Generic Profile Lists (GENERIC REFRESH Option) Refreshing Global Access Checking Lists (GLOBAL REFRESH Option) Refreshing Shared Systems (REFRESH Option) . . . . . . . . . . . SETROPTS Options for Special Purposes . . . . . . . . . . . . . . Protecting Undefined Terminals (TERMINAL Option). . . . . . . . . . Activating the Security Classification of Users and Data . . . . . . . . Establishing the Maximum VTAM Session Interval (SESSIONINTERVAL Option) . . . . . . . . . . . . . . . . . . . . . . . . . Activating Program Control (WHEN(PROGRAM) Option) . . . . . . . . SETROPTS Options Related to Security Labels . . . . . . . . . . . . Restricting Changes to Security Labels (SECLABELCONTROL option) Preventing Changes to Security Labels (MLSTABLE Option) . . . . . .Contents

v

Quiescing RACF Activity (MLQUIET Option) . . . . . . . . . . . . Preventing the Copying of Data to a Lower Security Label (SETROPTS MLS Option) . . . . . . . . . . . . . . . . . . . . . . Activating Compatibility Mode For Security Labels (COMPATMODE Option) Enforcing Multilevel Security (MLACTIVE Option) . . . . . . . . . . Restricting Access to z/OS UNIX Files and Directories (MLFSOBJ Option) Restricting Access to Interprocess Communication Objects (MLIPCOBJ Option) . . . . . . . . . . . . . . . . . . . . . . . . Using Name-hiding (MLNAMES Option) . . . . . . . . . . . . . Activating Security Labels by System Image (SECLBYSYSTEM Option) SETROPTS Options for Automatic Control of Access List Authority . . . . Automatic Addition of Creators User ID to Access List . . . . . . . . Automatic Omission of Creators User ID from Access List . . . . . . Specifying the Encryption Method for User Passwords . . . . . . . . . Using Started Procedures . . . . . . . . . . . . . . . . . . . Assigning RACF User IDs to Started Procedures . . . . . . . . . . Authorizing Access to Resources . . . . . . . . . . . . . . . . Setting Up the STARTED Class . . . . . . . . . . . . . . . . Using the Started Procedures Table (ICHRIN03) . . . . . . . . . . Started Procedure Considerations . . . . . . . . . . . . . . . Chapter 6. Protecting Data Sets on DASD and Tape . . . . . . . . Protecting Data Sets . . . . . . . . . . . . . . . . . . . . . Rules for Defining Data Set Profiles . . . . . . . . . . . . . . . Controlling the Creation of New Data Sets . . . . . . . . . . . . Data Set Profile Ownership . . . . . . . . . . . . . . . . . . Data Set Profiles . . . . . . . . . . . . . . . . . . . . . . Rules for Generic Data Set Profile Names . . . . . . . . . . . . Automatic Profile Modeling for Data Sets . . . . . . . . . . . . . Password-Protected Data Sets . . . . . . . . . . . . . . . . Protecting GDG Data Sets . . . . . . . . . . . . . . . . . . Protecting Data Sets That Have Duplicate Names . . . . . . . . . Disallowing Duplicate Names for Data Set Profiles . . . . . . . . . Using the PROTECT Operand or SECMODEL for Non-VSAM Data Sets Protecting Multivolume Data Sets with Discrete Profiles . . . . . . . Protecting DASD Data Sets . . . . . . . . . . . . . . . . . . . Access Authorities for DASD Data Sets . . . . . . . . . . . . . Erasing of Scratched (Deleted) DASD Data Sets . . . . . . . . . . Comparison of Password and RACF Authorization Requirements for VSAM Protecting Catalogs . . . . . . . . . . . . . . . . . . . . . Protecting DASD System Data Sets . . . . . . . . . . . . . . . DASD Volume Authority . . . . . . . . . . . . . . . . . . . . DFSMSdss Storage Administration . . . . . . . . . . . . . . . . Protecting Data on Tape . . . . . . . . . . . . . . . . . . . . Using DFSMSrmm with RACF . . . . . . . . . . . . . . . . . Choosing Which Tape-Related Options to Use . . . . . . . . . . . Protecting Existing Data on Tape (SETROPTS TAPEDSN in Effect) . . . Protecting New Data on Tape . . . . . . . . . . . . . . . . . Security Levels and Security Categories for Tapes . . . . . . . . . Security Labels for Tapes . . . . . . . . . . . . . . . . . . Tape Volume Profiles That Contain a TVTOC . . . . . . . . . . . Predefining Tape Volume Profiles for Tape Data Sets . . . . . . . . RACF Security Retention Period Processing (TAPEDSN Must Be Active) Authorization Requirements for Tape Data Sets When Both TAPEVOL and TAPEDSN Are Active . . . . . . . . . . . . . . . . . . .

. 141 . 141 142 . 143 144 . 145 . 145 146 . 146 . 146 . 147 . 147 . 148 . 148 . 149 . 149 . 152 . 152 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 156 157 159 161 161 162 169 171 172 173 173 174 174 175 175 176 177 177 178 179 180 180 180 181 183 184 187 187 188 190 191

. 193

vi


Authorization Requirements for Tape Data Sets When TAPEVOL Is Inactive and TAPEDSN Is Active . . . . . . . . . . . . . . . . . . . Authorization Requirements for Tape Data Sets When TAPEVOL Is Active and TAPEDSN Is Inactive . . . . . . . . . . . . . . . . . . JCL Changes . . . . . . . . . . . . . . . . . . . . . . . . Installations with DFSMShsm . . . . . . . . . . . . . . . . . . IEC.TAPERING Profile in the FACILITY Class . . . . . . . . . . . . Password-Protected Tape Data Sets . . . . . . . . . . . . . . . Using the PROTECT Parameter for Tape Data Set or Tape Volume Protection . . . . . . . . . . . . . . . . . . . . . . . . Multivolume Tape Data Sets . . . . . . . . . . . . . . . . . . RACF Authorization of Bypass Label Processing (BLP) . . . . . . . . Authorization Requirements for Labels . . . . . . . . . . . . . . . Tape Data Set and Tape Volume Protection with Nonstandard Labels (NSL) Tape Data Set and Tape Volume Protection for Nonlabeled (NL) Tapes Chapter 7. Protecting General Resources . . . . . . . . . . . . . Defining Profiles for General Resources . . . . . . . . . . . . . . Summary of Steps for Defining General Resource Profiles . . . . . . Choosing Between Discrete and Generic Profiles in General Resource Classes . . . . . . . . . . . . . . . . . . . . . . . . Disallowing Generic Profile Names for General Resources . . . . . . Choosing Among Generic Profiles, Resource Group Profiles, and RACFVARS Profiles . . . . . . . . . . . . . . . . . . . . Using Generic Profiles . . . . . . . . . . . . . . . . . . . . Rules for Generic Profile Names . . . . . . . . . . . . . . . . Generic Profile Checking of General Resources . . . . . . . . . . Granting Access Authorities . . . . . . . . . . . . . . . . . . Conditional Access Lists for General Resource Profiles . . . . . . . Setting Up the Global Access Checking Table . . . . . . . . . . . . How Global Access Checking Works . . . . . . . . . . . . . . Candidates for Global Access Checking . . . . . . . . . . . . . Creating Global Access Checking Table Entries . . . . . . . . . . Stopping Global Access Checking for a Specific Class . . . . . . . . Listing the Global Access Checking Table . . . . . . . . . . . . Special Considerations for Global Access Checking . . . . . . . . . Field-level access checking . . . . . . . . . . . . . . . . . . . Planning for Profiles in the FACILITY Class . . . . . . . . . . . . . Delegating help desk functions . . . . . . . . . . . . . . . . Delegating authority to profiles in the FACILITY class . . . . . . . . Creating Resource Group Profiles . . . . . . . . . . . . . . . . Adding a Resource to a Profile . . . . . . . . . . . . . . . . Deleting a Resource from a Profile . . . . . . . . . . . . . . . Which Profiles Protect a Particular Resource? . . . . . . . . . . . Resolving Conflicts among Multiple Profiles . . . . . . . . . . . . Considerations for Resource Group Profiles . . . . . . . . . . . . Using RACF Variables in Profile Names (RACFVARS Class) . . . . . . Defining RACF Variables . . . . . . . . . . . . . . . . . . . Example of Protecting Several Tape Volumes Using the RACFVARS Class Using RACF Variables . . . . . . . . . . . . . . . . . . . . RACFVARS Considerations . . . . . . . . . . . . . . . . . . Using RACFVARS with Mixed-Case Classes . . . . . . . . . . . Controlling VTAM LU 6.2 Bind . . . . . . . . . . . . . . . . . . Protecting Applications . . . . . . . . . . . . . . . . . . . . Protecting DFP-Managed Temporary Data Sets . . . . . . . . . . . Protecting File Services Provided by LFS/ESA . . . . . . . . . . . .

193 194 194 194 194 195 195 195 196 196 197 197

. 199 . 201 . 202 . 204 . 205 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 205 207 209 211 212 214 214 215 215 219 219 219 220 226 227 227 228 229 229 229 230 231 232 232 233 233 234 236 237 239 240 240

|

Contents

vii

Protecting Terminals . . . . . . . . . . . . . . . . . . . Creating Profiles in the TERMINAL and GTERMINL Classes . . . Controlling the Use of Undefined Terminals . . . . . . . . . . Limiting Specific Groups of Users to Specific Terminals . . . . . Limiting the Times That a Terminal Can Be Used . . . . . . . . Using Security Labels to Control Terminals . . . . . . . . . . Using the TSO LOGON Command with the RECONNECT Operand . Protecting Consoles . . . . . . . . . . . . . . . . . . . Using Security Labels to Control Consoles . . . . . . . . . . Using the Secured Signon Function . . . . . . . . . . . . . . The RACF PassTicket . . . . . . . . . . . . . . . . . . Activating the PTKTDATA Class . . . . . . . . . . . . . . Defining Profiles in the PTKTDATA Class . . . . . . . . . . . When the Profile Definitions Are Complete . . . . . . . . . . How RACF Processes the Password or PassTicket . . . . . . . Enabling the Use of PassTickets . . . . . . . . . . . . . . Protecting the Vector Facility . . . . . . . . . . . . . . . . Controlling Access to Program Dumps . . . . . . . . . . . . . Using RACF to Control Access to Program Dumps . . . . . . . Using Non-RACF Methods to Control Access to Program Dumps . . Controlling the Allocation of Devices . . . . . . . . . . . . . Protecting LLA-Managed Data Sets . . . . . . . . . . . . . . Controlling Data Lookaside Facility (DLF) Objects (Hiperbatch) . . . . Using RACROUTE REQUEST=LIST,GLOBAL=YES Support . . . . The RACGLIST Class . . . . . . . . . . . . . . . . . . Administering the Use of Operator Commands . . . . . . . . . . Authorizing the Use of Operator Commands . . . . . . . . . Command Authorization in an MCS Sysplex . . . . . . . . . . Controlling the Use of Operator Commands . . . . . . . . . . Controlling the Use of Remote Sharing Functions . . . . . . . . . Controlling Access to the RACLINK Command . . . . . . . . . Controlling Password Synchronization . . . . . . . . . . . . Controlling the Use of the AT Operand . . . . . . . . . . . . Controlling the Use of the ONLYAT Operand . . . . . . . . . Controlling Automatic Direction . . . . . . . . . . . . . . Establishing Security for the RACF Parameter Library . . . . . . . Controlling Message Traffic . . . . . . . . . . . . . . . . . Controlling the Opening of VTAM ACBs . . . . . . . . . . . . RACF and PSF (Print Services Facility) . . . . . . . . . . . . Auditing When Users Receive Message Traffic . . . . . . . . . . RACF and APPC . . . . . . . . . . . . . . . . . . . . User Verification during APPC Transactions . . . . . . . . . . Protection of APPC/MVS Transaction Programs (TPs) . . . . . . LU Security Capabilities . . . . . . . . . . . . . . . . . Origin LU Authorization . . . . . . . . . . . . . . . . . Protection of APPC Server IDs (APPCSERV) . . . . . . . . . RACF and CICS . . . . . . . . . . . . . . . . . . . . . RACF and DB2 . . . . . . . . . . . . . . . . . . . . . RACF and ICSF . . . . . . . . . . . . . . . . . . . . . RACF and z/OS UNIX . . . . . . . . . . . . . . . . . . . RACF Support for NDS and Lotus Notes for z/OS . . . . . . . . Administering Application User Identities . . . . . . . . . . . System Considerations . . . . . . . . . . . . . . . . . Authorizing Applications to Use Identity Mapping . . . . . . . . Considerations for Application User Names . . . . . . . . . . Storing encryption keys using the KEYSMSTR class . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

241 241 242 243 244 244 244 245 246 246 247 247 247 253 253 255 256 257 257 259 259 261 262 265 265 266 267 267 268 272 273 273 275 275 275 280 280 281 282 282 283 283 283 284 284 285 285 285 286 286 286 286 287 289 290 290

viii


Steps for storing a key in a KEYSMSTR profile . . . . . . . . . . . 291 Defining delegated resources . . . . . . . . . . . . . . . . . . . 292 Steps for authorizing daemons to use delegated resources . . . . . . . 293 Chapter 8. Administering the Dynamic Class Descriptor Table (CDT) Overview of the class descriptor table . . . . . . . . . . . . . Restrictions for applications and vendor products . . . . . . . . Using the dynamic CDT . . . . . . . . . . . . . . . . . . Profiles in the CDT class . . . . . . . . . . . . . . . . . Adding a dynamic class with a unique POSIT value . . . . . . . . Steps for adding a dynamic class with a unique POSIT value . . . Adding a dynamic class that shares a POSIT value . . . . . . . . When a POSIT value is shared . . . . . . . . . . . . . . Rules about disallowing generics when sharing a POSIT value . . . Steps for adding a dynamic class with a shared POSIT value . . . Changing a POSIT value for a dynamic class . . . . . . . . . . Steps for changing a POSIT value of an existing dynamic class . . Guidelines for changing dynamic CDT entries . . . . . . . . . . Defining a dynamic class with generics disallowed . . . . . . . . Steps for changing a dynamic class to disallow generic profiles . . Deleting a class from the dynamic CDT . . . . . . . . . . . . Steps for deleting a dynamic CDT class . . . . . . . . . . . Disabling the dynamic CDT . . . . . . . . . . . . . . . . . Re-enabling a previously defined dynamic class . . . . . . . . . Steps to re-enable a previously defined dynamic class . . . . . . Recommendation for moving to the dynamic CDT . . . . . . . . Sysplex considerations for the dynamic CDT . . . . . . . . . . Shared system considerations for the dynamic CDT . . . . . . . . Shared system rules for disallowing generics with dynamic classes . RRSF considerations for the dynamic CDT . . . . . . . . . . . 295 295 296 296 297 298 298 299 300 301 301 302 302 303 305 305 306 307 309 309 309 310 312 312 312 313 315 317 318 321 321 323 323 326 327 331 332 333 333 333 334 335 336 337 337 337 339 340 342 342

. . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 9. Protecting Programs . . . . . . . . . . . . . . . . Program security modes . . . . . . . . . . . . . . . . . . . . Simple program protection in BASIC or ENHANCED mode . . . . . . Program control by SMFID in BASIC or ENHANCED mode . . . . . . Maintaining a clean environment in BASIC or ENHANCED mode . . . . More complex controls: Using EXECUTE access for programs or libraries (BASIC mode) . . . . . . . . . . . . . . . . . . . . . . Migrating from BASIC to ENHANCED program security mode . . . . . Protecting program libraries . . . . . . . . . . . . . . . . . . . Program access to data sets (PADS) in BASIC mode . . . . . . . . Choosing between the PADCHK and NOPADCHK operands . . . . . Program access to SERVAUTH resources in BASIC or ENHANCED mode ENHANCED program security mode . . . . . . . . . . . . . . . Program access to data sets (PADS) in ENHANCED mode . . . . . . Using EXECUTE access for programs and libraries in ENHANCED mode When to use MAIN or BASIC . . . . . . . . . . . . . . . . . Defining programs as MAIN or BASIC . . . . . . . . . . . . . . How protection works for programs and PADS . . . . . . . . . . . . How program control works . . . . . . . . . . . . . . . . . . Informational messages for program control . . . . . . . . . . . . Authorization checking for access control to load modules . . . . . . Authorization checking for access control to data sets . . . . . . . . Processing for execute-controlled libraries . . . . . . . . . . . . . Examples of controlling programs and using PADS . . . . . . . . . . Examples of defining load modules as controlled programs . . . . . .

Contents

ix

Examples of setting up program access to data sets . . . . . . . . . 343 Example of setting up an execute-controlled library . . . . . . . . . . 343 Example of setting up program control by system ID . . . . . . . . . 344 Chapter 10. Operating Considerations . . . . . . . . . . . . . . Coordinating Profile Updates . . . . . . . . . . . . . . . . . . RACF Commands for Flushing a VLF Cache . . . . . . . . . . . Getting Started with RACF (after First Installing RACF) . . . . . . . . Logging On as IBMUSER and Checking Initial Conditions . . . . . . Defining Administrator User IDs for Your Own Use . . . . . . . . . Defining at Least One User ID to Be Used for Emergencies Only . . . . Logging on as RACFADM, Checking Groups and Users, and Revoking IBMUSER . . . . . . . . . . . . . . . . . . . . . . . Defining the Groups Needed for the First Users . . . . . . . . . . Defining a System-Wide Auditor . . . . . . . . . . . . . . . . Defining Users and Groups . . . . . . . . . . . . . . . . . . Defining Group Administrators, Group Auditors, and Data Managers . . . Protecting System Data Sets . . . . . . . . . . . . . . . . . Setting RACF Options . . . . . . . . . . . . . . . . . . . . Using the Data Security Monitor (DSMON) . . . . . . . . . . . . . JCL Parameters Related to RACF . . . . . . . . . . . . . . . . Restarting Jobs . . . . . . . . . . . . . . . . . . . . . . . Bypassing Password Protection . . . . . . . . . . . . . . . . . Controlling Access to RACF Passwords . . . . . . . . . . . . . . Authorizing Only RACF-Defined Users to Access RACF-Protected Resources Using the TSO or ISPF Editor . . . . . . . . . . . . . . . . . . Service by IBM Personnel . . . . . . . . . . . . . . . . . . . Failsoft Processing . . . . . . . . . . . . . . . . . . . . . . Failsoft Processing with Tape Data Sets . . . . . . . . . . . . . Considerations for RACF Databases . . . . . . . . . . . . . . . Backup RACF Database . . . . . . . . . . . . . . . . . . . Multiple Data Set Support . . . . . . . . . . . . . . . . . . Protecting the RACF Database . . . . . . . . . . . . . . . . Using RACF Data Sharing . . . . . . . . . . . . . . . . . . Sharing Data without Sharing a RACF Database . . . . . . . . . . Number of Resident Data Blocks . . . . . . . . . . . . . . . . Chapter 11. Working With The RACF Database . . Using the RACF Database Unload Utility (IRRDBU00) . Diagnosis . . . . . . . . . . . . . . . . Performance Considerations . . . . . . . . . Operational Considerations . . . . . . . . . . Running the Database Unload Utility . . . . . . Allowable Parameters . . . . . . . . . . . . Using the Database Unload Utility Output Effectively Using the RACF remove ID (IRRRID00) utility . . . . IRRRID00 Job Control Statements . . . . . . . Finding Residual IDs . . . . . . . . . . . . Creating Commands to Remove IDs . . . . . . Using IRRRID00 output . . . . . . . . . . . Processing Profiles and Resources . . . . . . . What IRRRID00 Verifies . . . . . . . . . . . Database Objects That Are Not Processed . . . . Processing a Hierarchy of Groups . . . . . . . Processing Global Profiles . . . . . . . . . . Processing General Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 345 346 347 348 349 349 349 350 350 350 350 351 352 352 356 357 357 357 358 359 359 359 360 360 361 361 361 362 362 362 363 364 364 364 365 366 368 369 386 388 391 392 393 395 396 397 398 398 398

x


Processing MEMBER Data . . . Processing Universal Groups . . IRRRID00 and Tivoli . . . . . Time Required to Run IRRRID00 .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

399 399 399 399 401 402 403 404 404 405 406 408 408 409 409 409 409 410 410 413 413 413 415 418 423 425 428 431 432 432 432 432 433 435 435 436 437 437 437 437 438 439 441 441 442 443 445 447 447 448 449 449

|

Chapter 12. The RACF remote sharing facility (RRSF) . . . . The RRSF Network . . . . . . . . . . . . . . . . . . RRSF Nodes . . . . . . . . . . . . . . . . . . . Establishing User ID Associations in the RRSF Network . . . . Types of User ID Associations . . . . . . . . . . . . . Password Synchronization . . . . . . . . . . . . . . The RACLINK Command . . . . . . . . . . . . . . . User ID Associations . . . . . . . . . . . . . . . . . Defining User ID Associations . . . . . . . . . . . . . Approving User ID Associations . . . . . . . . . . . . Deleting User ID Associations . . . . . . . . . . . . . Listing User ID Associations . . . . . . . . . . . . . Command Direction. . . . . . . . . . . . . . . . . . Commands That Are Not Eligible for Command Direction . . . Directing Commands Using the AT Option . . . . . . . . Directing Commands Using the ONLYAT Option . . . . . . Directing commands to incompatible systems . . . . . . . Automatic Direction . . . . . . . . . . . . . . . . . . Preparing to Use Automatic Direction . . . . . . . . . . Output Processing . . . . . . . . . . . . . . . . . Interactions among Automatic Direction Functions and Password Synchronization . . . . . . . . . . . . . . . . . Using Automatic Direction of Commands . . . . . . . . . Using Automatic Direction of Application Updates . . . . . . Using Automatic Password Direction . . . . . . . . . . . Relationship to User ID Associations . . . . . . . . . . Synchronizing Passwords and Password Phrases . . . . . RRSF Considerations for JES Security . . . . . . . . . RRSF Considerations for z/OS Network Authentication Service . Synchronizing Database Profiles . . . . . . . . . . . . . Chapter 13. RACF and DCE . . . . . . . . Cross Linking DCE Identities and RACF User IDs Defining Cross Linking Information . . . . . The RACF DCEUUIDS Class . . . . . . . . Defining Profiles to the RACF DCEUUIDS Class Activating the DCEUUIDS Class . . . . . . Administering DCE Information in RACF . . . . Single Signon Support for DCE . . . . . . . Using Encryption with Single Signon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 14. RACF and Information Management System (IMS) Overview of RACF and IMS. . . . . . . . . . . . . . . Controlling Access to IMS System Data Sets and Databases . . IMS System Generation Considerations . . . . . . . . . . Establishing Audit Trail Capabilities . . . . . . . . . . . . Controlling Access to IMS Control Regions . . . . . . . . . Controlling Access to IMS Transactions . . . . . . . . . . Grouping IMS Transactions under a Common Profile . . . . Controlling Access to IMS Physical Terminals . . . . . . . . Authorization to IMS Control Region Resources . . . . . . .

Contents

xi

Defining Application Group Names for IMS . . . . . . . . . . . . . 450 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 452 Chapter 15. Providing Security for JES . . . . . . . . Planning for Security . . . . . . . . . . . . . . . . How JES and RACF Work Together. . . . . . . . . . . Defining JES as a RACF Started Procedure . . . . . . . . Forcing Batch Users to Identify Themselves to RACF . . . . Support for Execution Batch Monitor (XBM) (JES2 Only) . . . Defining and Grouping Operators. . . . . . . . . . . . JES User ID Early Verification . . . . . . . . . . . . . User ID Propagation When Jobs Are Submitted . . . . . . Allowing Surrogate Job Submission . . . . . . . . . . Controlling User ID Propagation in a Local Environment . . Using Protected User IDs for Batch Jobs . . . . . . . . . Propagating Protected User IDs . . . . . . . . . . . Using Protected User IDs for Surrogate Job Submission . . Where NJE Jobs Are Verified . . . . . . . . . . . . . How SYSOUT Requests Are Verified . . . . . . . . . . Security Labels for JES Resources . . . . . . . . . . . Controlling Access to Data Sets JES Uses . . . . . . . . Controlling Input to Your System . . . . . . . . . . . . How RACF Validates Users . . . . . . . . . . . . . Controlling the Use of Job Names . . . . . . . . . . Authorizing the Use of Input Sources . . . . . . . . . Authorizing Network Jobs and SYSOUT (NJE) . . . . . . . Authorizing Inbound Work . . . . . . . . . . . . . Authorizing Outbound Work . . . . . . . . . . . . . Controlling Access to Spool Data . . . . . . . . . . . . Protecting Data Sets on Spools . . . . . . . . . . . Defining Profiles for SYSIN and SYSOUT Data Sets . . . Letting Users Create Their Own JESSPOOL Profiles . . . Protecting JESNEWS . . . . . . . . . . . . . . . Protecting Trace Data Sets (JES2 Only) . . . . . . . . Protecting SYSLOG . . . . . . . . . . . . . . . Spool Offload Considerations (JES2 Only) . . . . . . . How RACF Affects Jobs Dumped from and Restored to Spool Authorizing Console Access . . . . . . . . . . . . . MCS Consoles . . . . . . . . . . . . . . . . . Remote Workstations (RJP/RJE Consoles) . . . . . . . JES3 Consoles . . . . . . . . . . . . . . . . . Controlling Where Output Can Be Processed . . . . . . . Authorizing the Use of Your Installations Printers . . . . . . Authorizing the Use of Operator Commands . . . . . . . Commands from RJE Work Stations . . . . . . . . . Commands from NJE Nodes . . . . . . . . . . . . Who Authorizes Commands When RACF Is Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (JES3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 454 455 455 456 456 456 457 457 457 459 460 460 460 460 461 462 462 463 463 464 467 468 469 486 486 486 487 489 490 492 492 492 493 493 493 494 496 496 497 498 498 498 499 501 501 501 502

Chapter 16. RACF and Storage Management Subsystem (SMS) . . . . Overview of RACF and SMS . . . . . . . . . . . . . . . . . . RACF General Resource Classes for Protecting SMS Classes . . . . . . Controlling the Use of SMS Classes . . . . . . . . . . . . . . . Refreshing Profiles for SETROPTS RACLIST Processing for MGMTCLAS and STORCLAS . . . . . . . . . . . . . . . . . . . . . DFP Segment in RACF Profiles . . . . . . . . . . . . . . . . . DFP Segment in User and Group Profiles . . . . . . . . . . . .

. 503 . 503 . 504

xii


DFP Segment in Data Set Profiles . . . . . . . . How RACF Uses the Information in the DFP Segments Controlling Access to the DFP Segment . . . . . . Controlling the Use of Other SMS Resources . . . . . Chapter 17. RACF and TSO/E . . . . . . . . TSO/E Administration Considerations . . . . . . Protecting TSO Resources . . . . . . . . . . Authorization Checking for Protected TSO Resources Field-Level Access Checking for TSO . . . . . . Controlling the Use of the TSO SEND Command . . Restricting Spool Access by TSO Users . . . . . TSO Commands That Relate to RACF . . . . . . Using TSO When RACF Is Deactivated . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

505 506 506 509 511 511 512 515 515 515 516 516 517 519 520 521 521 522 522 523 523 523 523 524 524 525 526 527 528 529 529 532 533 533 534 535 535 538 538 540 540 543 544 544 545 546 547 548 551 553 554 554 555

Chapter 18. RACF and z/OS UNIX . . . . . . . . . . . . Defining group identifiers (GIDs) . . . . . . . . . . . . . Defining user identifiers (UIDs) . . . . . . . . . . . . . Listing UIDs and GIDs . . . . . . . . . . . . . . . . Superuser authority . . . . . . . . . . . . . . . . . Setting z/OS UNIX user limits . . . . . . . . . . . . . Protected user IDs . . . . . . . . . . . . . . . . . Controlling the use of shared UNIX identities . . . . . . . . Sharing IDs. . . . . . . . . . . . . . . . . . . . Defining the SHARED.IDS profile in the UNIXPRIV class . . . Using the SHARED operand . . . . . . . . . . . . . Enabling automatic assignment of UNIX identities . . . . . . Setting up the BPX.NEXT.USER profile . . . . . . . . . RRSF Considerations . . . . . . . . . . . . . . . . Using default OMVS segments in USER and GROUP profiles . . z/OS UNIX performance considerations . . . . . . . . . . Converting to stage 3 of application identity mapping . . . . Using the UNIXMAP class and Virtual Lookaside Facility (VLF). Using UNIXPRIV class profiles to manage z/OS UNIX privileges . Example of authorizing superuser privileges . . . . . . . . Allowing z/OS UNIX users to change file ownerships . . . . Configuring the group owner for new UNIX files . . . . . . Protecting file system resources . . . . . . . . . . . . . Administering ACLs . . . . . . . . . . . . . . . . . z/OS UNIX application considerations . . . . . . . . . . . Threads and security . . . . . . . . . . . . . . . . Application services and security . . . . . . . . . . . . Restrictions of RACF client ACEE support . . . . . . . . Chapter 19. RACF and digital certificates . . . . . . Overview of digital certificates . . . . . . . . . . . Public and private keys . . . . . . . . . . . . X.509 certificates . . . . . . . . . . . . . . Certificate hierarchies . . . . . . . . . . . . . Certificate formats . . . . . . . . . . . . . . Using certificates with z/OS client/server applications . Enabling client login using certificates . . . . . . . Using RACF to manage digital certificates . . . . . . Size restrictions for private keys . . . . . . . . . Using the RACDCERT Command to Administer Certificates Sharing the RACF database with a z/VM system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contents

xiii

|

|

Controlling the Use of the RACDCERT Command . . . . . . . Examples of adding digital certificate information . . . . . . . . Examples of listing digital certificate information . . . . . . . . Examples of checking digital certificate information . . . . . . . Examples of altering digital certificate information . . . . . . . . Examples of deleting digital certificates . . . . . . . . . . . DIGTCERT general resource profiles . . . . . . . . . . . . . Ownership of DIGTCERT profiles . . . . . . . . . . . . . RACLISTing the DIGTCERT class . . . . . . . . . . . . . RACF and key rings . . . . . . . . . . . . . . . . . . . DIGTRING general resource profiles . . . . . . . . . . . . Sharing a private key using a key ring . . . . . . . . . . . . Using a virtual key ring . . . . . . . . . . . . . . . . . RACF and z/OS PKCS #11 tokens . . . . . . . . . . . . . . Creating and populating PKCS #11 tokens . . . . . . . . . . Certificate Name Filtering . . . . . . . . . . . . . . . . . Interpreting the X.500 Directory Information Tree . . . . . . . . Creating Certificate Name Filters . . . . . . . . . . . . . . Types of Certificate Name Filters . . . . . . . . . . . . . . How RACF Processes Certificate Name Filters . . . . . . . . Using an Existing Certificate as a Model . . . . . . . . . . . Excluding a Certificate Using the NOTRUST Option . . . . . . . Mapping Multiple User IDs Using Additional Criteria . . . . . . . Automatic registration of digital certificates . . . . . . . . . . . Integrated Cryptographic Service Facility (ICSF) considerations . . . Using a PCI cryptographic coprocessor to generate private keys . . Migrating an ICSF private key from one system to another . . . . The irrcerta, irrmulti, and irrsitec user IDs . . . . . . . . . . . . Renewing an expiring certificate . . . . . . . . . . . . . . . Renewing a certificate with the same private key . . . . . . . . Renewing (rekeying) a certificate with a new private key . . . . . Supplied digital certificates . . . . . . . . . . . . . . . . . Steps to begin using a supplied CA certificate . . . . . . . . . Implementation Scenarios . . . . . . . . . . . . . . . . . Scenario 1: Secure Server with a Certificate Signed by a Certificate Authority . . . . . . . . . . . . . . . . . . . . . . Scenario 2: Secure Server with a Locally Signed Certificate . . . . Scenario 3: Migrating an ikeyman or gskkyman Certificate . . . . Scenario 4: Secure Server-to-Server Session Enablement . . . . Scenario 5: Creating Client Browser Certificates with a Locally Signed Certificate . . . . . . . . . . . . . . . . . . . . . Scenario 6: Enabling Secure Outbound FTP . . . . . . . . . Scenario 7: Sharing One Certificate Between Multiple Servers . . . Scenario 8: Using the IBM Encryption Facility for z/OS . . . . . . Chapter 20. Controlling applications that invoke Authorizing applications . . . . . . . . . . Defining applications as RACF users . . . . Defining resources that control callable services Activating your authorizations . . . . . . . initACEE (IRRSIA00) callable service . . . . . Registering user certificates . . . . . . . . Deregistering user certificates . . . . . . . Replacing certificate-authority certificates . . . Using a hostIdMappings extension . . . . . R_admin (IRRSEQ00) callable service . . . . . callable services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

556 558 558 562 564 564 565 566 566 566 567 568 568 568 569 571 571 572 574 578 578 579 579 583 584 584 584 586 586 586 588 591 592 592 592 594 595 595 597 598 598 600 603 603 604 604 604 605 605 605 605 606 607

xiv


Permitting access to IRR.RADMIN resources . . . . R_auditx (IRRSAX00) callable service . . . . . . . . R_cacheserv (IRRSCH00) callable service . . . . . . R_datalib (IRRSDL00 or IRRSDL64) callable service . . Extracting private keys . . . . . . . . . . . . Managing certificate serial numbers . . . . . . . . R_dcekey (IRRSDK00) callable service . . . . . . . R_GetInfo (IRRSGI00) callable service . . . . . . . R_dceruid (IRRSUD00) callable service . . . . . . . R_PKIServ (IRRSPX00) callable service . . . . . . . Authorizing end-user functions . . . . . . . . . . Authorizing administrative functions . . . . . . . . R_proxyserv (IRRSPY00) callable service . . . . . . R_ticketserv (IRRSPK00) callable service . . . . . . Permitting access to the IRR.RTICKETSERV resource .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

607 608 608 608 609 609 609 610 610 610 610 613 614 614 614

Chapter 21. Configuring z/OS to participate in an EIM domain . . . . . 617 Defining RACF as the local EIM registry . . . . . . . . . . . . . . . 618 Defining Kerberos or X.509 registry names . . . . . . . . . . . . . . 618 Chapter 22. RACF and the z/OS LDAP server . . . . . . Defining an LDAPBIND class profile . . . . . . . . . . LDAP event notification . . . . . . . . . . . . . . . LDAP change log entries . . . . . . . . . . . . . . LDAP notification occurs in real-time only. . . . . . . . RRSF considerations for applications that exploit enveloping Activating LDAP change notification . . . . . . . . . . | | | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 619 620 621 622 623 623 625 625 626 627 628 628 628 629 629 630 630 631 633 634 635 635 637 637 639 641 641 642 642 643 644 647 647

|

| | |

Chapter 23. Password and password phrase enveloping . . . . . . . . Overview of enveloping . . . . . . . . . . . . . . . . . . . . . Resources that control enveloping . . . . . . . . . . . . . . . . Signing hash algorithm and encryption strength used to create the envelope The IRR.PWENV.KEYRING key ring . . . . . . . . . . . . . . . Controlling envelope retrieval . . . . . . . . . . . . . . . . . . The NOTIFY.LDAP.USER resource . . . . . . . . . . . . . . . . Setting up enveloping . . . . . . . . . . . . . . . . . . . . . . Preparing the address space of the RACF subsystem . . . . . . . . . Generating a local CA certificate using RACF as the CA . . . . . . . . Generating an X.509 V3 certificate for the RACF address space . . . . . Generating an X.509 V3 certificate for the envelope recipient . . . . . . Copying the certificates to the host system (if generated elsewhere) . . . . Exporting RACFs certificate to the recipient key database . . . . . . . Authorizing the envelope recipient . . . . . . . . . . . . . . . . Activating enveloping . . . . . . . . . . . . . . . . . . . . . . Disabling enveloping . . . . . . . . . . . . . . . . . . . . . . Steps for disabling enveloping and deleting existing envelopes . . . . . . Planning considerations for heterogeneous password synchronization . . . . Chapter 24. Defining and using custom fields . . Overview of custom fields . . . . . . . . . . Task roadmap for defining and using custom fields . Defining a custom field and its field attributes . . . Profiles in the CFIELD class . . . . . . . . Steps for defining a custom field and its attributes Activating a custom field . . . . . . . . . . . Steps for activating a custom field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

| | | | | | | |

Contents

xv

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Adding data to a custom field . . . . . . . . . . . . . . . Steps for adding data to a custom field . . . . . . . . . . Authorizing users to define custom fields . . . . . . . . . . . Steps for authorizing users to define custom fields . . . . . . Authorizing users to update data in a custom field . . . . . . . Authorizing users for the ISPF panels to update custom field data Steps for authorizing users to update data in a custom field . . . Changing attributes of an existing custom field . . . . . . . . . When you need to change the data type . . . . . . . . . . When you need to change MAXLENGTH of a numeric field . . . Removing a custom field . . . . . . . . . . . . . . . . . Steps for removing a custom field . . . . . . . . . . . . Common errors when defining and using custom fields. . . . . . Errors defining a custom field . . . . . . . . . . . . . . Errors adding data to a custom field . . . . . . . . . . . RRSF considerations for custom fields . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

648 648 650 650 651 651 651 652 653 654 656 656 657 657 657 658 661 662 662 663 664 664 666 667 667 668 669 670 671 672 674 675 675 675 676

Chapter 25. Authorizing help desk functions . . . . . . . . . . . . Delegating the authority to list user information . . . . . . . . . . . . Delegating the authority to list user information in any user profile . . . . Delegating the authority to list user information in only selected user profiles Delegating the authority to list user information by owner . . . . . . . . Delegating the authority to list user information by group tree . . . . . . Excluding selected user profiles . . . . . . . . . . . . . . . . . Delegating the authority to reset passwords and password phrases . . . . . Levels of authority . . . . . . . . . . . . . . . . . . . . . . Delegating the authority to reset the password for any user . . . . . . . Delegating the authority to reset passwords for only selected users . . . . Delegating the authority to reset passwords by owner . . . . . . . . . Delegating the authority to reset passwords by group tree . . . . . . . Excluding selected users . . . . . . . . . . . . . . . . . . . . Delegating both by owner and by group tree . . . . . . . . . . . . . Examples of delegating help desk authorities . . . . . . . . . . . . . Delegating help desk authorities by owner . . . . . . . . . . . . . Delegating help desk authorities by group tree . . . . . . . . . . . . Delegating help desk authorities for all users, excluding selected users

Appendix A. Supplied RACF resource classes . . . . . . . . . . . . 677 Supplied resource classes for z/OS systems . . . . . . . . . . . . . 677 Supplied resource classes for z/VM systems . . . . . . . . . . . . . 684 Appendix B. Summary of RACF commands and authorities Summary of commands and their functions . . . . . . . . Summary of Authorities and Commands . . . . . . . . . The SPECIAL or group-SPECIAL Attribute . . . . . . . The AUDITOR or group-AUDITOR Attribute . . . . . . . The OPERATIONS or group-OPERATIONS Attribute . . . The CLAUTH Attribute . . . . . . . . . . . . . . . Group Authority . . . . . . . . . . . . . . . . . Access Authority . . . . . . . . . . . . . . . . . Profile Ownership Authority . . . . . . . . . . . . . Other Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 687 691 692 693 693 693 694 695 695 696

Appendix C. Listings of RACF supplied certificates . . . . . . . . . . 699 RACDCERT LIST command output listings . . . . . . . . . . . . . . 699

xvi


Appendix D. Security for system data sets . . . . . . . . . . . . . 707 Appendix E. Debugging Problems in the RACF Database . . . . . . Checklist: Resolving Problems When Access Is Denied Unexpectedly . . . Checklist: Resolving Problems When Access Is Allowed Incorrectly . . . . When Changes to Data Set Profiles Take Effect . . . . . . . . . . . Authorization Checking for RACF-Protected Resources . . . . . . . . When Authorization Checking Takes Place and Why . . . . . . . . Authorizing Access to RACF-Protected Resources . . . . . . . . . Pictorial View of RACF Authorization Checking . . . . . . . . . . . Authorizing Access to z/OS UNIX Files and Directories. . . . . . . . Authorizing Access to RACF-Protected Terminals . . . . . . . . . . Authorizing Access to Consoles, JES Input Devices, APPC Partner LUs, or IP Addresses . . . . . . . . . . . . . . . . . . . . . . Authorization Checking for RACROUTE REQUEST=FASTAUTH Requests Authorizing Access to RACF-Protected Applications . . . . . . . . . Security Label Authorization Checking . . . . . . . . . . . . . . Relationships among the SECLABEL class, SETROPTS MLS(FAILURES), SETROPTS MLACTIVE(FAILURES) and SETROPTS MLQUIET . . . Problems with User ID Authentication . . . . . . . . . . . . . . . When Logon or Job Initialization Processing Takes Place and Why . . . Logon/Job Initialization Processing . . . . . . . . . . . . . . . Appendix F. Accessibility . . Using assistive technologies . Keyboard navigation of the user z/OS information . . . . . . . . . . . . . . interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711 711 713 714 715 715 716 721 726 729

. 729 731 . 732 . 732 . . . . . . . . 736 737 737 738 741 741 741 741

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 Policy for unsupported hardware . . . . . . . . . . . . . . . . . . 745 Trademarks. . . . . . . . . . . . . . . . . . . . . . . . . . 745 Glossary . . . . . Sequence of entries . Organization of entries References . . . . . Selection of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747 747 747 747 747

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765

Contents

xvii

xviii


Figures1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52. 53. RACF authorization checking . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Sample ISPF panel for RACF . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Scope of control of an attribute assigned at the group level . . . . . . . . . . . . . . . 17 User and group relationships . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Group-level authority structure . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Scope of authority for a group-SPECIAL user . . . . . . . . . . . . . . . . . . . . 84 Delegating authority (user profiles) . . . . . . . . . . . . . . . . . . . . . . . . 96 Example of two network LU partners . . . . . . . . . . . . . . . . . . . . . . . 239 Reports produced by DSMON . . . . . . . . . . . . . . . . . . . . . . . . . 353 Member UGRP: Users with extraordinary group authoritiesreport format statements . . . . . 370 Member UGRPCNTL: Users with extraordinary group authoritiesrecord selection statements 371 Report of all users with extraordinary group authorities . . . . . . . . . . . . . . . . 372 Customized record selection criteria . . . . . . . . . . . . . . . . . . . . . . . 374 Customized report format . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Customized report JCL . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Sample SQL utility statements: Defining a table space . . . . . . . . . . . . . . . . 376 Sample SQL utility statements: Creating a table . . . . . . . . . . . . . . . . . . . 377 Sample SQL utility statements: Creating indexes. . . . . . . . . . . . . . . . . . . 378 DB2 utility statements required to load the tables . . . . . . . . . . . . . . . . . . 379 DB2 utility statements required to delete the group records . . . . . . . . . . . . . . . 379 Sample SQL to process revoke and resume dates . . . . . . . . . . . . . . . . . . 383 A sample SQL query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 A sample QMF form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 A sample report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 Using the remove ID utility . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Searching for all residual references . . . . . . . . . . . . . . . . . . . . . . . 390 Searching for specific references . . . . . . . . . . . . . . . . . . . . . . . . 390 Specifying a replacement ID . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Running IRRRID00 with an empty SYSIN: Sample input . . . . . . . . . . . . . . . . 392 Running IRRRID00 with an empty SYSIN: Sample output . . . . . . . . . . . . . . . 392 Running IRRRID00 with data in SYSIN: Sample input . . . . . . . . . . . . . . . . . 393 Running IRRRID00 with data in SYSIN: Sample output . . . . . . . . . . . . . . . . 393 Sample output from the IRRRID00 utility . . . . . . . . . . . . . . . . . . . . . . 395 An RRSF network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Captured Output From a Password Synchronization Request . . . . . . . . . . . . . . 406 RACLINK ID(userid) LIST(*.*) Output . . . . . . . . . . . . . . . . . . . . . . . 409 Captured Output from a Directed LISTGRP Command . . . . . . . . . . . . . . . . 412 Captured Output from a Directed ADDSD Command . . . . . . . . . . . . . . . . . 412 DCE/RACF user ID cross linking example . . . . . . . . . . . . . . . . . . . . . 436 Changing a DCE user with ALTUSER . . . . . . . . . . . . . . . . . . . . . . . 438 Output of the LISTUSER command for user CSMITH . . . . . . . . . . . . . . . . . 438 Message processing (MPP) example . . . . . . . . . . . . . . . . . . . . . . . 451 Batch message processing (BMP) example . . . . . . . . . . . . . . . . . . . . 451 Which NODES profiles are used? . . . . . . . . . . . . . . . . . . . . . . . . 473 Example: Simple NJE user translation . . . . . . . . . . . . . . . . . . . . . . 481 Example: Simple NJE user translation using &SUSER . . . . . . . . . . . . . . . . 482 Example: Trusted, semitrusted, and untrusted nodes . . . . . . . . . . . . . . . . . 483 Example of a simple certificate hierarchy . . . . . . . . . . . . . . . . . . . . . 546 A high-level view of a secure z/OS handshake using a public key network protocol . . . . . . 549 Controlling access to RACDCERT functions . . . . . . . . . . . . . . . . . . . . 557 Output from the RACDCERT LIST command . . . . . . . . . . . . . . . . . . . . 559 Output from the RACDCERT LISTRING command . . . . . . . . . . . . . . . . . . 560 Output from the RACDCERT LIST command with LABEL . . . . . . . . . . . . . . . 560

Copyright IBM Corp. 1994, 2008

xix

54. 55. 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. | 67. 68. 69. 70. 71.

Output from the RLIST DIGTCERT command . . . . . . . . . . . . . . . Output from the SEARCH CLASS(DIGTCERT) command . . . . . . . . . . Example of an X.500 directory information tree . . . . . . . . . . . . . . Sample RACDCERT MAP command for creating an issuers name filter . . . . . Sample output from the LISTMAP command for an issuers name filter . . . . . Sample RACDCERT MAP commands for creating subjects name filters . . . . . Sample RACDCERT MAP command for creating a subjects and issuers name filter Sample RACDCERT MAP commands using a model certificate . . . . . . . . Sample RACDCERT MAP commands not using a model certificate . . . . . . . Sample RACDCERT MAP command using the NOTRUST option . . . . . . . Sample RACDCERT MAP and RDEFINE commands for mapping multiple user IDs . Sample output from the LISTMAP command for a MULTIID filter . . . . . . . . Sample RACDCERT MAP and RDEFINE commands using multiple criteria . . . . Sample group and user structure for delegating help desk authorities . . . . . . Process flow of callers of RACF for RACROUTE REQUEST=AUTH requests . . . Process flow of SAF router for RACROUTE REQUEST=AUTH requests . . . . . Process flow of RACF router . . . . . . . . . . . . . . . . . . . . . Process flow of RACF authorization checking . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

561 562 572 573 574 575 576 579 579 579 581 581 582 674 721 722 723 724

xx


Tables1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47. 48. User attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands to list profile contents . . . . . . . . . . . . . . . . . . . . . . . . Command to search for profile names . . . . . . . . . . . . . . . . . . . . . . Participants of the security implementation team . . . . . . . . . . . . . . . . . . Checklist for implementation team activities . . . . . . . . . . . . . . . . . . . . Group authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scope of authority for user attributes at the group level . . . . . . . . . . . . . . . . Sample profile names for STARTED class resources . . . . . . . . . . . . . . . . Sample data set profile names in order from most specific to least specific (EGN off) . . . . Sample data set profile names in order from most specific to least specific (EGN on) . . . . Protecting GDG data sets using generic profiles . . . . . . . . . . . . . . . . . . Access authorities for DASD data sets . . . . . . . . . . . . . . . . . . . . . RACF commands used with general resource profiles . . . . . . . . . . . . . . . . Choosing among generic profiles, resource group profiles, and RACFVARS profiles . . . . . Sample general resource profile names in order from most specific to least specific . . . . . ALTER, NONE, and CONTROL, UPDATE, and READ access authorities for general resources Comparison of GRPACC attribute with &RACGPID.** entry in global access checking table Relationship of RACF command operands to FIELD profile names . . . . . . . . . . . Delegating authority in the FACILITY class . . . . . . . . . . . . . . . . . . . . RACF classes used to authorize operator commands . . . . . . . . . . . . . . . . RACF operator command profiles: Naming conventions . . . . . . . . . . . . . . . RACF TSO commands entered as operator commands: Naming conventions . . . . . . . Automatic command direction: Resource names . . . . . . . . . . . . . . . . . . KEYSMSTR class profiles . . . . . . . . . . . . . . . . . . . . . . . . . . Processing options controlled simultaneously for classes sharing a POSIT value . . . . . . ICHERCDE macro operands and the corresponding operands for the RDEFINE and RALTER commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Correlation of record type, record name, and DB2 table name . . . . . . . . . . . . . RRSFDATA resources to control propagation of certificate information . . . . . . . . . . NODES class operands and the UACC meaning for inbound jobs . . . . . . . . . . . NODES class operands, UACC, and SYSOUT ownership when node is not defined to &RACLNDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TSO command usage when RACF protection is enabled. . . . . . . . . . . . . . . The UNIXMAP class and VLF: Effects on performance for installations that have not reached stage 3 of application identity mapping . . . . . . . . . . . . . . . . . . . . . Subjects and issuers distinguished names. . . . . . . . . . . . . . . . . . . . Summary of access authorities required for PKI Services requests . . . . . . . . . . . LDAP event notification of RACF profile changes . . . . . . . . . . . . . . . . . Resource classes for z/OS systems . . . . . . . . . . . . . . . . . . . . . . Resource classes for z/VM systems . . . . . . . . . . . . . . . . . . . . . . Functions of RACF commands . . . . . . . . . . . . . . . . . . . . . . . . Commands and operands you can issue if you have the SPECIAL or group-SPECIAL attribute Commands and operands you can issue if you have the AUDITOR or group-AUDITOR attribute Commands and operands you can issue if you have the OPERATIONS or group-OPERATIONS attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands and operands you can issue if you have the CLAUTH attribute . . . . . . . . Commands and operands you can issue if you have a group authority . . . . . . . . . Commands and operands you can issue if you have an access authority. . . . . . . . . Commands and operands you can issue if you own a profile . . . . . . . . . . . . . Commands and operands you can issue for miscellaneous reasons . . . . . . . . . . UACC values for system data sets . . . . . . . . . . . . . . . . . . . . . . . Required relationship between security levels for each MAC checking type . . . . . . . . . 18 . 30 . 32 . 36 . 46 . 58 . 81 . 151 . 164 . 165 . 172 . 175 . 201 . 205 . 209 212 218 . 222 . 227 . 267 . 268 . 269 . 276 . 291 . 300 . . . . 311 380 431 475

. 478 . 516 . . . . . . . 530 571 612 621 677 684 687 692 693 693 693 694 695 695 696 707 733

. . . . . . . .


xxi

49. Security label authorization checking when SECLABEL class is active and either SETROPTS MLS(FAILURES) or MLS(WARNING) is in effect . . . . . . . . . . . . . . . . . 50. Security label authorization checking when SECLABEL class is active and either SETROPTS NOMLS is in effect or the user is in writedown mode. . . . . . . . . . . . . . . 51. Effects of MLACTIVE settings on security label authorization . . . . . . . . . . . . 52. Relationships among the SECLABEL class, SETROPTS MLS(FAILURES), SETROPTS MLACTIVE(FAILURES), and SETROPTS MLQUIET . . . . . . . . . . . . . . . 53. Resource classes checked for logon and job initialization requests . . . . . . . . . .

. . 734 . . 735 . . 736 . . 736 . . 739

xxii


About this documentThis document supports z/OS (5694-A01) and contains information about Resource Access Control Facility (RACF), which is part of z/OS Security Server. This document provides information to help the security administrator plan for and administer the RACF component of z/OS Security Server.

Who should use this documentSecurity administrators, group administrators, and other administrators who are responsible for system data security and integrity on a z/OS system should use this document for such tasks as: v Planning how to use RACF to increase the security of the system v Deciding which resources to protect v Performing administration tasks v Coordinating with administrators of other products Readers should be familiar with RACF concepts and terminology. The readers of this document should also be familiar with z/OS systems. RACF overview information can be obtained from the RACF home page:http://www.ibm.com/servers/eserver/zseries/zos/racf/

How to use this documentMuch of this document describes how to protect resources, such as data sets, terminals, and others. In general, you first need to define users to RACF and set some RACF options. Then, depending on your security plan, you select classes of resources to protect and create resource profiles for them. If you are reading this document for the first time, consider reading the following parts first: v Chapter 1, Introduction, on page 1 v Chapter 2, Organizing for RACF Implementation, on page 35 v Chapter 3, Defining Groups and Users, on page 49 v Defining Profiles for General Resources on page 201 v Setting Up the Global Access Checking Table on page 214 v Getting Started with RACF (after First Installing RACF) on page 347 v Appropriate portions of Chapter 5, Specifying RACF Options, on page 109

Where to find more informationWhere necessary, this document references information in other documents. For complete titles and order numbers for all elements of z/OS, see z/OS Information Roadmap.

Softcopy publicationsThe RACF library is available on the following CD-ROM, DVD, and online library collections. The collections include Softcopy Reader, which is a program that enables you to view the softcopy documents.


xxiii

PrefaceSK3T-4269 z/OS Version 1 Release 10 Collection This collection contains the set of unlicensed documents for the current release of z/OS in both BookManager and Portable Document Format (PDF) files. You can view or print the PDF files with an Adobe Reader. SK3T-4272 z/OS Security Server RACF Collection This softcopy collection kit contains the Security Server library for z/OS for multiple releases in both BookManager and Portable Document Format (PDF) formats. It also contains z/OS software product documents that contain substantial RACF information. This collection does not contain licensed publications. SK3T-7876 IBM eServer zSeries Redbooks Collection This softcopy collection contains a set of documents called IBM Redbooks that pertain to zSeries subject areas ranging from e-business application development and enablement to hardware, networking, Linux, solutions, security, Parallel Sysplex and many others. SK2T-2177 IBM Redbooks S/390 Collection This softcopy collection contains a set of documents called IBM Redbooks that pertain to S/390 subject areas ranging from application development and enablement to hardware, networking, security, Parallel Sysplex and many others.

RACF coursesThe following RACF classroom courses are available in the United States: H3917 H3927 ES885 ES840 Basics of z/OS RACF Administration Effective RACF Administration Exploiting the Advanced Features of RACF Implementing RACF Security for CICS

IBM provides a variety of educational offerings for RACF. For more information about classroom courses and other offerings, do any of the following: v See your IBM representative v Call 1-800-IBM-TEACh (1-800-426-8322)

IBM systems center publicationsIBM systems centers produce documents known as IBM Redbooks that can help you set up and use RACF. These documents have not been subjected to any formal review nor have they been checked for technical accuracy, but they represent current product understanding (at the time of their publication) and provide valuable information on a wide range of RACF topics. They are not shipped with RACF; you must order them separately. A selected list of these documents follows. Other documents are available, but they are not included in this list, either because the information they present has been incorporated into IBM product manuals or because their technical content is outdated.GG24-4282 GG24-4453 Secured Single Signon in a Client/Server Environment Enhanced Auditing Using the RACF SMF Data Unload Utility

xxiv


PrefaceGG26-2005 SG24-4704 SG24-4820 SG24-5158 SG24-6840 RACF Support for Open Systems Technical Presentation Guide OS/390 Security Services and RACF-DCE Interoperation OS/390 Security Server Audit Tool and Report Application Ready for e-business: OS/390 Security Server Enhancements Communications Server for z/OS V1R2 TCP/IP Implementation Guide Volume 7: Security

Other sources of informationIBM provides customer-accessible discussion areas where RACF may be discussed by customer and IBM participants. Other information is also available through the Internet.

IBM discussion areasIBM provides ibm.servers.mvs.racf newsgroup for discussion of RACF-related topics. You can find this newsgroup on news (NNTP) server news.software.ibm.com using your favorite news reader client.

Internet sourcesThe following resources are available through the Internet to provide additional information about the RACF library and other security-related topics: v Online library To view and print online versions of the z/OS publications, use this address:http://www.ibm.com/systems/z/os/zos/bkserv/

v Redbooks The documents known as IBM Redbooks that are produced by the International Technical Support Organization (ITSO) are available at the following address:http://www.redbooks.ibm.com

v Enterprise systems security For more information about security on the S/390 platform, OS/390, and z/OS, including the elements that comprise the Security Server, use this address:http://www.ibm.com/systems/z/advantages/security/

v RACF home page You can visit the RACF home page on the World Wide Web using this address:http://www.ibm.com/servers/eserver/zseries/zos/racf/

v RACF-L discussion list Customers and IBM participants may also discuss RACF on the RACF-L discussion list. RACF-L is not operated or sponsored by IBM; it is run by the University of Georgia. To subscribe to the RACF-L discussion and receive postings, send a note to:[email protected]

Include the following line in the body of the note, substituting your first name and last name as indicated:subscribe racf-l first_name last_name

To post a question or response to RACF-L, send a note, including an appropriate Subject: line, to:[email protected]

v Sample code

About this document

xxv

PrefaceYou can get sample code, internally-developed tools, and exits to help you use RACF. This code works in our environment, at the time we make it available, but is not officially supported. Each tool or sample has a README file that describes the tool or sample and any restrictions on its use. To access this code from a Web browser, go to the RACF home page and select the Downloads topic from the navigation bar, or go to www.ibm.com/servers/ eserver/zseries/zos/racf/goodies.html. The code is also available from ftp.software.ibm.com through anonymous FTP. To get access: 1. Log in as user anonymous. 2. Change the directory, as follows, to find the subdirectories that contain the sample code or tool you want to download:cd eserver/zseries/zos/racf/

An announcement will be posted on the RACF-L discussion list and on newsgroup ibm.servers.mvs.racf whenever something is added. Note: Some Web browsers and some FTP clients (especially those using a graphical interface) might have problems using ftp.software.ibm.com because of inconsistencies in the way they implement the FTP protocols. If you have problems, you can try the following: Try to get access by using a Web browser and the links from the RACF home page. Use a different FTP client. If necessary, use a client that is based on command line interfaces instead of graphical interfaces. If your FTP client has configuration parameters for the type of remote system, configure it as UNIX instead of MVS.

Restrictions Because the sample code and tools are not officially supported, There are no guaranteed enhancements. No APARs can be accepted.

To request copies of IBM publicationsDirect your request for copies of any IBM publication to your IBM representative or to the IBM branch office serving your locality. There is also a toll-free customer support number (1-800-879-2755) available Monday through Friday from 8:30 a.m. through 5:00 p.m. Eastern Time. You can use this number to: v Order or inquire about IBM publications v Resolve any software manufacturing or delivery concerns v Activate the program reorder form to provide faster and more convenient ordering of software updates

xxvi


Summary of changesSummary of changes for SA22-7683-12 z/OS Version 1 Release 10 This document contains information previously presented in z/OS Security Server RACF Security Administrators Guide, SA22-7683-11, which supports z/OS Version 1 Release 9. New information v Processing the BPX.DEFAULT.USER profile on page 398 v Creating and populating PKCS #11 tokens on page 569 v Migrating an ICSF private key from one system to another on page 584 v Chapter 24, Defining and using custom fields, on page 641 v Chapter 25, Authorizing help desk functions, on page 661 Changed information v The following topics are updated to support password phrases: Extending Password and User ID Processing (PASSWORD Option) on page 114 RRSF Considerations for z/OS Network Authentication Service on page 432 Chapter 23, Password and password phrase enveloping, on page 625 LDAP event notification on page 620 v The following topics are updated to support custom fields: Group Profiles on page 52 User Profiles on page 62 Field-level access checking on page 220 IRRDBU00: Operational Considerations on page 365 DB2 Table Names on page 379 Preparing to Use Automatic Direction on page 415 v The following topics are updated to support password reset granularity: Delegating the authority to list user information on page 662 Delegating the authority to reset passwords and password phrases on page 667 Using the RACF remove ID (IRRRID00) utility on page 386 v Size restrictions for private keys on page 554 is updated to support 4096-bit RSA keys. v Appendix A, Supplied RACF resource classes, on page 677 includes new classes. v Appendix B, Summary of RACF commands and authorities, on page 687 includes new functions. v Glossary on page 747 is updated with new terms. Moved information v The information presented in the chapter previously entitled RACF and z/OS Security Server Network Authentication Service is removed from this publication. The information is now presented in z/OS Integrated Security Services Network Authentication Service Administration.


xxvii

Prefacev The following topics were previously presented in Chapter 7, Protecting General Resources, on page 199. They now appear in Chapter 25, Authorizing help desk functions, on page 661. Delegating the authority to list user information on page 662 Delegating the authority to reset passwords and password phrases on page 667. Deleted information v The information presented in the chapter previously entitled RACF and Tivoli Products is removed from this publication. For information about using Tivoli products with RACF, visit the Tivoli software information center at http://publib.boulder.ibm.com/tividd/td/link/tdprodlist.html. v The information presented in the chapters previously entitled Controlling access to DB2 objects and RACF External Security Module: Authorization checking are removed from this publication. This information is presented in DB2 RACF Access Control Module Guide. You may notice changes in the style and structure of some content in this documentfor example, headings that use uppercase for the first letter of initial words only, and procedures that have a different look and format. The changes are ongoing improvements to the consistency and retrievability of information in our documents. This document contains terminology, maintenance, and editorial changes. Technical changes or additions to the text and illustrations are indicated by a vertical line to the left of the change. Summary of changes for SA22-7683-11 z/OS Version 1 Release 9 This document contains information previously presented in z/OS Security Server RACF Security Administrators Guide, SA22-7683-08, SA22-7683-09, and SA22-7683-10, which support z/OS Version 1 Release 8. New information v Processing password intervals for protected users on page 382 v RACF and z/OS PKCS #11 tokens on page 568 v RACLISTing the DIGTCRIT class on page 580 Changed information v Assigning password phrases on page 89 is updated to support enhancements to password phrases. v The following topics are updated for enhancements to support for z/OS Cryptographic Services PKI Services: RACF and key rings on page 566 R_datalib (IRRSDL00 or IRRSDL64) callable service on page 608 v The following topics are updated for enhancements to support for z/OS Security Server Network Authentication Service: Defining your local realm Defining local principals Generating keys for local principals

xxviii


Prefacev Appendix A, Supplied RACF resource classes, on page 677 includes new classes. v Appendix B, Summary of RACF commands and authorities, on page 687 includes new functions. The following topics are updated in support of APARs: v OA16755 Unknown, blank, and undefined security labels on page 472 v OA18243 Simple program protection in BASIC or ENHANCED mode on page 318 v OA18540 RRSF Considerations for Digital Certificates on page 430 v OA19353 Activating Generic Profile Checking and Generic Command Processing on page 120 Generic Profile Checking for the DATASET Class on page 163 Generic Profile Checking of General Resources on page 209 RRSF Considerations for Digital Certificates on page 430 DIGTCERT general resource profiles on page 565 DIGTRING general resource profiles on page 567 v OA20162 Appendix A, Supplied RACF resource classes, on page 677 v OA20304 RACF and z/OS Security Server Network Authentication Service The following topics are updated based on readers' comments: v Delegating the authority to reset passwords and password phrases on page 667 v Controlling the Use of Operator Commands on page 268 v Controlling the Opening of VTAM ACBs on page 281 v Maintaining a clean environment in BASIC or ENHANCED mode on page 321 v Comparing LISTUSER and LISTGRP output with IRRDBU00 on page 382 v Using IRRRID00 output on page 393 v Using the RACDCERT Command to Administer Certificates on page 554 v RACLISTing the DIGTCERT class on page 566 v Renewing a certificate with the same private key on page 586 Deleted information v The topic previously entitled SETROPTS KERBLVL processing is removed from the chapter entitled RACF and z/OS Security Server Network Authentication Service. Beginning with z/OS Version 1 Release 9, the KERBLVL operand of the SETROPTS command is ignored. This document contains terminology, maintenance, and editorial changes, including changes to improve consistency and retrievability. Summary of changes for SA22-7683-09 and SA22-7683-10 z/OS Version 1 Release 8

Summary of changes

xxix

PrefaceThis document contains information previously presented in z/OS Security Server RACF Security Administrators Guide, SA22-7683-08, which supports z/OS Version 1 Release 8. New information v Using password phrases with shared downlevel systems on page 91 Changed information v The following topics were updated to support APAR OA17400: How Users and Groups Are Authorized to Access Resources on page 7 Possible Changes to Copied Profiles When Modeling Occurs on page 40 Conditional Access Lists for General Resource Profiles on page 212 Authorization Checking for RACROUTE REQUEST=FASTAUTH Requests on page 731 v The term pass phrase was changed to password phrase. This document contains terminology, maintenance, and editorial changes, including changes to improve consistency and retrievability. Summary of changes for SA22-7683-08 z/OS Version 1 Release 8 This document contains information previously presented in z/OS Security Server RACF Security Administrators Guide, SA22-7683-07, which supports z/OS Version 1 Release 7. New information v Using restricted user IDs with a shared z/VM system on page 89 v Assigning password phrases on page 89 v Using DFSMSrmm with RACF on page 180 v Disallowing Generic Profile Names for General Resources on page 205 v Considerations for the key qualifier value on page 206 v Defining a dynamic class with generics disallowed on page 305 v Shared system rules for disallowing generics with dynamic classes on page 312 v Automatic password direction: Synchronizing Passwords and Password Phrases on page 432 v Examples of deleting digital certificates on page 564 v Ownership of DIGTCERT profiles on page 566 v Disabling enveloping on page 637 Changed information v The following topics are updated to support password phrases: Setting the Maximum and Minimum Change Interval (PASSWORD Option) on page 113 The RACF password processing exits on page 25 The Base Segment in User Profiles on page 64 Defining Protected User IDs on page 87 Delegating the authority to reset passwords and password phrases on page 667

xxx


Preface Controlling Password Synchronization on page 273 Password Synchronization on page 405 v The following topics are updated to support enhancements for z/OS Cryptographic Services PKI Services and IBM Encryption Facility: Size restrictions for private keys on page 554 Using a virtual key ring on page 568 Using a PCI cryptographic coprocessor to generate private keys on page 584 Scenario 8: Using the IBM Encryption Facility for z/OS on page 600 v The following topics are updated to support z/OS DFSMSrmm enhancements: Preventing Access to Uncataloged Data Sets (CATDSNS Option) on page 124 Erasing Scratched or Rele

Documents

[SA22-7683-12] [V1R10] zOS - Security Server RACF Security Administrator's Guide