z/OS Security Server RACF Security Administrator's Guide
Previous topic |
Next topic
|
Contents
|
Contact z/OS
|
Library
|
PDF
Contents (exploded view)
z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00
Abstract for Security Server RACF Security Administrator's Guide
z/OS Version 2 Release 1 summary of changes
Introduction
How RACF meets security needs
User identification and verification
Authorization checking
Logging and reporting
User accountability
RACF users
RACF groups
What RACF controls
How users and groups are authorized to access resources
Using ID(*) on the access list
RACF profiles
Flexibility
RACF transparency
Implementing multilevel security
Multilevel security
Characteristics of a multilevel-secure environment
Mandatory access control (MAC)
Security labels
Discretionary access control (DAC)
Resource reuse
Identification and authentication
Auditability of security-related events
Administering security
Delegating administration tasks
Administering security when a z/VM system shares the RACF database
Using RACF commands or panels
Choosing between using RACF TSO commands and ISPF panels
Additional authorization for using the ISPF panels
RACF group and user structure
Defining users and groups
Assigning optional user attributes
Assigning group authorities
Profiles associated with users and groups
The user profile
The group profile
Protecting resources
Protecting data sets
Protecting general resources
Installation-defined classes
Authority to create resource profiles
Authority to modify or delete resource profiles
Owners of resource profiles
Setting up the global access checking table
Security classification of users and data
Selecting RACF options
Using RACF installation exits to customize RACF
The RACROUTE REQUEST=VERIFY, VERIFYX, AUTH, and DEFINE exits
The RACROUTE REQUEST=LIST exits
The RACROUTE REQUEST=FASTAUTH exits
The RACF command exits
The RACF password processing exits
The RACF password authentication exits
Tools for the security administrator
Using RACF utilities
RACF database initialization utility (IRRMIN00)
RACF database split/merge/extend utility (IRRUT400)
RACF database unload utility (IRRDBU00)
RACF database verification utility (IRRUT200)
RACF cross-reference utility (IRRUT100)
RACF remove ID utility (IRRRID00)
RACF SMF data unload utility (IRRADU00)
RACF block update command (BLKUPD)
Using the RACF report writer
Using the data security monitor
Recording statistics in RACF profiles
Listing information from RACF profiles
Searching for RACF profile names
Using the LIST and SEARCH commands effectively
Organizing for RACF implementation
Ensuring management commitment
Selecting the security implementation team
Responsibilities of the implementation team
Defining security objectives and preparing the implementation plan
Deciding what to protect
Protecting existing data
Protecting new data
Profile modeling
Possible changes to copied profiles when modeling occurs
Allowing a warning period
Establishing ownership structures
Selecting user IDs and group names
Establishing your RACF group structure
Educating the system users
Summary
Defining groups and users
Defining RACF groups
Types of groups
Administrative groups
Holding groups
Data control groups
Functional groups
User groups
Group profiles
The Base segment in group profiles
The CSDATA segment in group profiles
The DFP segment in group profiles
The OMVS segment in group profiles
The OVM segment in group profiles
The TME segment in group profiles
Defining large groups with the UNIVERSAL attribute
Group naming conventions
Benefits of using RACF groups
Reducing the effort of maintaining access lists
Avoiding the need to refresh in-storage profiles
Providing a form of timed PERMIT
Group ownership and levels of group authority
Ownership of a RACF group
Group ownership of profiles
Group authorities
Suggestions for assigning group authorities
Total delegation
Partial delegation
The group terminal option
Summary of steps for defining a RACF group
Summary of steps for deleting groups
Defining users
User profiles
The base segment in user profiles
The CICS segment in user profiles
The CSDATA segment in user profiles
The DCE segment in user profiles
The DFP segment in user profiles
The KERB segment in user profiles
The LANGUAGE segment in user profiles
The LNOTES segment in user profiles
The NDS segment in user profiles
The NETVIEW segment in user profiles
The OMVS segment in user profiles
The OPERPARM segment in user profiles
The OVM segment in user profiles
The PROXY segment in user profiles
The TSO segment in user profiles
The WORKATTR segment in user profiles
User naming conventions
Suggestions for defining user IDs
Migrating existing user IDs to RACF
Creating new user IDs from scratch
Creating user IDs for system operators
Creating user IDs for RRSF users
Ownership of a RACF user profile
User attributes
The SPECIAL attribute
The AUDITOR attribute
The OPERATIONS attribute
Limiting the capabilities of the OPERATIONS attribute
OPERATIONS and DASDVOL authority
The CLAUTH (class authority) attribute
The REVOKE attribute
The GRPACC (group access) attribute
The ADSP (automatic data set protection) attribute
The RESTRICTED attribute
User attributes at the group level
The scope of authority for the users with group-level attributes
Suggestions for assigning user attributes
Verifying user attributes
Default universal access authority (UACC)
Assigning security categories, levels, and labels to users
Limiting when a user can access the system
Time-of-day and day-of-week checking for users and terminals
Defining protected user IDs
Restrictions for using protected user IDs with z/VM systems
Defining restricted user IDs
Using restricted user IDs for digital certificate users
Using restricted user IDs for distributed identity users
Using restricted user IDs with a shared z/VM system
Assigning password phrases
Using password phrases with shared downlevel systems
Summary of steps for defining users
Summary of steps for deleting users
General considerations for user ID delegation
Classifying users and data
Security classification of users and data
Effect on RACF authorization checking
Security levels and security categories
Security labels
Understanding security levels and security categories
CATEGORY and SECLEVEL information in profiles
Converting from LEVEL to SECLEVEL
Deleting UNKNOWN categories
Maintaining categories in an RRSF environment
Understanding security labels
Comparing security labels
Considerations related to security labels
How users specify current security labels
Listing security labels
Displaying the default security label for a user ID
Displaying the current security label for a user ID
Finding out which security labels a user can use
Searching by security labels
Restricting security label changes
Requiring security labels
Controlling the write-down privilege
Steps for controlling the write-down privilege
Planning considerations for security labels
Specifying RACF options
Using the SETROPTS command
SETROPTS options for initial setup
Allowing mixed-case passwords (PASSWORD option)
Migration considerations for mixed-case passwords
Establishing password syntax rules (PASSWORD option)
Setting the maximum and minimum change interval (PASSWORD option)
Extending password and user ID processing (PASSWORD option)
Revoking unused user IDs (INACTIVE option)
Activating list-of-groups checking (GRPLIST option)
GRPLIST considerations for z/OS UNIX
Setting the RVARY passwords (RVARYPW option)
Restricting the creation of general resource profiles (GENERICOWNER option)
Activating general resource classes (CLASSACT option)
Activating generic profile checking and generic command processing
Activating statistics collection (STATISTICS option)
STATISTICS example
Using options in RACROUTE REQUEST=VERIFY statistics collection
Reducing application logon statistics
Steps for specifying daily logon statistics
Considerations for using daily logon statistics
Bypassing resource statistics collection
Activating global access checking (GLOBAL option)
RACF-protecting all data sets (PROTECTALL option)
Activating JES2 or JES3 RACF support
Preventing access to uncataloged data sets (CATDSNS option)
Activating enhanced generic naming for the DATASET class (EGN option)
Controlling data set modeling (MODEL option)
Bypassing automatic data set protection (NOADSP option)
Displaying and logging real data set names (REALDSN option)
Protecting data sets with single-qualifier names (PREFIX option)
Activating tape data set protection (TAPEDSN option)
Activating tape volume protection (TAPEVOL option)
Establishing a security retention period for tape data sets (RETPD option)
Erasing scratched or released data (ERASE option)
Establishing national language defaults (LANGUAGE option)
SETROPTS options to activate in-storage profile processing
SETROPTS GENLIST processing
Deactivating SETROPTS GENLIST processing
SETROPTS GENLIST processing on shared systems
Refreshing profiles for SETROPTS GENLIST processing
SETROPTS RACLIST processing
Additional considerations for RACLIST
Deactivating SETROPTS RACLIST processing
SETROPTS RACLIST processing on shared systems
Refreshing profiles for SETROPTS RACLIST processing
SETROPTS REFRESH option for special cases
Refreshing in-storage generic profile lists (GENERIC REFRESH option)
Refreshing global access checking lists (GLOBAL REFRESH option)
Refreshing shared systems (REFRESH option)
SETROPTS options for special purposes
Protecting undefined terminals (TERMINAL option)
Activating the security classification of users and data
Establishing the maximum VTAM session interval (SESSIONINTERVAL option)
Activating program control (WHEN(PROGRAM) option)
SETROPTS options related to security labels
Restricting changes to security labels (SECLABELCONTROL option)
Preventing changes to security labels (MLSTABLE option)
Quiescing RACF activity (MLQUIET option)
Preventing the copying of data to a lower security label (SETROPTS MLS option)
Activating compatibility mode for security labels (COMPATMODE option)
Enforcing multilevel security (MLACTIVE option)
Restricting access to z/OS UNIX files and directories (MLFSOBJ option)
Restricting access to interprocess communication objects (MLIPCOBJ option)
Using name-hiding (MLNAMES option)
Activating security labels by system image (SECLBYSYSTEM option)
SETROPTS options for automatic control of access list authority
Automatic addition of creator's user ID to access list
Automatic omission of creator's user ID from access list
Specifying the encryption method for user passwords
Using started procedures
Assigning RACF user IDs to started procedures
Protected user IDs
Undefined user IDs
Authorizing access to resources
Setting up the STARTED class
Defining profile data
Specifying STARTED class profile names
Using the started procedures table (ICHRIN03)
Started procedure considerations
Protecting data sets on DASD and tape
Protecting data sets
Rules for defining data set profiles
Standard data set naming conventions
Table-driven data set naming conventions
Protecting data sets that have single-qualifier data set names
Protecting user data sets
Protecting group data sets
Controlling the creation of new data sets
Data set profile ownership
Data set profiles
Protection through discrete profiles
Protection through generic profiles
Rules for generic data set profile names
When you can specify generic profile names
When to do a generic refresh
Choosing between discrete and generic data set profiles
Generic profile checking for the DATASET class
Generic profile performance
Using SETROPTS PROTECTALL and SETROPTS GENERIC(DATASET) together
Authority to modify generic profiles
Conditional access lists for data set profiles
Universal access authority (UACC) for data sets
Automatic profile modeling for data sets
Automatic profile modeling for user data set profiles
Automatic profile modeling for group data set profiles
Automatic profile modeling for GDG data sets
Password-protected data sets
Protecting GDG data sets
Protecting data sets that have duplicate names
Non-VSAM DASD data sets
VSAM data sets
Tape data sets
Disallowing duplicate names for data set profiles
Using the PROTECT operand or SECMODEL for non-VSAM data sets
Protecting multivolume data sets with discrete profiles
Non-VSAM DASD data set considerations
Tape data set considerations
VSAM data set considerations
Setting ADDCREATOR/NOADDCREATOR options for both DASD and tape
Protecting DASD data sets
Access authorities for DASD data sets
Suggestions for assigning access authorities to DASD data sets
Erasing of scratched (deleted) DASD data sets
Comparison of password and RACF authorization requirements for VSAM
Protecting catalogs
Protecting DASD system data sets
Bypassed RACF protection
Enforced RACF protection
DASD volume authority
DFSMSdss storage administration
Protecting data on tape
Using DFSMSrmm with RACF
Choosing which tape-related options to use
Tape data set and tape volume protection (TAPEDSN active and TAPEVOL active)
Tape data set protection (TAPEDSN active and TAPEVOL inactive)
Tape volume protection (TAPEVOL active and TAPEDSN inactive)
No tape volume or tape data set protection (TAPEVOL inactive and TAPEDSN inactive)
Protecting existing data on tape (SETROPTS TAPEDSN in effect)
Protecting new data on tape
Protecting tape volumes
Defining tape volumes with a TVTOC
Authorizing access to a data set on a tape volume with a TVTOC
Defining tape volumes without a TVTOC
Security levels and security categories for tapes
Security labels for tapes
Tape volume profiles that contain a TVTOC
Tape volume table of contents (TVTOC)
Automatic TVTOC tape volume profiles
Nonautomatic tape volume profiles
Predefining tape volume profiles for tape data sets
RACF security retention period processing (TAPEDSN must be active)
Authorization requirements for tape data sets when both TAPEVOL and TAPEDSN are active
Authorization requirements for tape data sets when TAPEVOL is inactive and TAPEDSN is active
Authorization requirements for tape data sets when TAPEVOL is active and TAPEDSN is inactive
JCL changes
Installations with DFSMShsm
IEC.TAPERING profile in the FACILITY class
Password-protected tape data sets
Using the PROTECT parameter for tape data set or tape volume protection
Multivolume tape data sets
RACF authorization of bypass label processing (BLP)
Authorization requirements for labels
Tape data set and tape volume protection with nonstandard labels (NSL)
Tape data set and tape volume protection for nonlabeled (NL) tapes
Opening an unlabeled tape for input
Opening an unlabeled tape for output
Protecting general resources
Defining profiles for general resources
Summary of steps for defining general resource profiles
Choosing between discrete and generic profiles in general resource classes
Disallowing generic profile names for general resources
Choosing among generic profiles, resource group profiles, and RACFVARS profiles
Rules for generic profile names
When you can specify generic profile names
Generic naming
Other rules for generic profile names
Generic profile checking of general resources
Generic profile performance
Granting access authorities
Limiting the size of your access lists
Conditional access lists for general resource profiles
Setting up the global access checking table
How global access checking works
Candidates for global access checking
Creating global access checking table entries
Adding an entry to the global access checking table
Deleting an entry from the global access checking table
Examples of creating global access checking table entries
Example 1: The SYS1.HELP data set
Example 2: Group data sets
Example 3: The master catalog and user catalogs
Stopping global access checking for a specific class
Listing the global access checking table
Special considerations for global access checking
Field-level access checking
Planning for profiles in the FACILITY class
Delegating help desk functions
Delegating authority to profiles in the FACILITY class
Creating resource group profiles
Adding a resource to a profile
Deleting a resource from a profile
Which profiles protect a particular resource?
Resolving conflicts among grouping profiles
How is WARNING mode merged for conflicting multiple profiles?
Considerations for resource group profiles
Using RACF variables in profile names (RACFVARS class)
Defining RACF variables
Example of protecting several tape volumes using the RACFVARS class
Using RACF variables
Using a RACF variable as the entire name of a profile
Using a RACF variable as a qualifier
Using the &RACLNDE profile to identify local nodes
How RACF uses the RACFVARS member list
Administering the RACFVARS member list
Examples of debugging complex RACF variables and member lists
Using RACFVARS with mixed-case classes
Controlling VTAM LU 6.2 bind
Protecting applications
Protecting DFP-managed temporary data sets
Protecting file services provided by LFS/ESA
Protecting terminals
Creating profiles in the TERMINAL and GTERMINL classes
Controlling the use of undefined terminals
Combining the SETROPTS TERMINAL command with TERMINAL profiles
Limiting specific groups of users to specific terminals
Limiting the times that a terminal can be used
Using security labels to control terminals
Using the TSO LOGON command with the RECONNECT operand
Protecting consoles
Using security labels to control consoles
Using the secured signon function
The RACF PassTicket
Activating the PTKTDATA class
Defining profiles in the PTKTDATA class
Determining PTKTDATA profile names
APPC, CICS, or IMS
MVS batch jobs
TSO
Creating a TSO profile name (when a VTAM generic resource name for TSO is used)
Creating a TSO profile name (when a VTAM generic resource name for TSO is not used)
z/VM logon
z/OS UNIX applications
Other applications
Protecting the secured signon application keys
Masking the secured signon application key
Encrypting the secured signon application key
Example of defining a PTKTDATA class profile
When the profile definitions are complete
How RACF processes the password or PassTicket
Bypassing PassTicket replay protection
Enabling the use of PassTickets
Verifying the secured signon environment
Preventing errors
Protecting the vector facility
Controlling access to program dumps
Using RACF to control access to program dumps
Protecting program dumps using a data set profile
Protecting program dumps using the FACILITY class
Example of defining the IEAABD.DMPAUTH profile
Example of defining the IEAABD.DMPAKEY profile
Activating the FACILITY class
Using non-RACF methods to control access to program dumps
Controlling the allocation of devices
Protecting LLA-managed data sets
Controlling data lookaside facility (DLF) objects (Hiperbatch)
Using RACROUTE REQUEST=LIST,GLOBAL=YES support
The RACGLIST class
Administering the use of operator commands
Authorizing the use of operator commands
Command authorization in an MCS sysplex
Controlling the use of operator commands
Controlling the use of remote sharing functions
Controlling access to the RACLINK command
Controlling the use of the RACLINK DEFINE operand
Controlling the use of the RACLINK PWSYNC operand
Controlling password synchronization
Controlling the use of the AT operand
Controlling the use of the ONLYAT operand
Controlling automatic direction
Controlling automatic direction of commands
Sample automatic command direction profiles
Controlling automatic direction of passwords
Sample automatic password direction profiles
Controlling automatic direction of application updates
Sample automatic direction of application updates
Establishing security for the RACF parameter library
Controlling message traffic
Controlling the opening of VTAM ACBs
RACF and PSF (Print Services Facility)
Auditing when users receive message traffic
RACF and APPC
User verification during APPC transactions
Partner LU as port of entry (POE)
Local LU name as application (APPL)
Protection of APPC/MVS transaction programs (TPs)
LU security capabilities
Conversation security options
Origin LU authorization
Protection of APPC server IDs (APPCSERV)
RACF and CICS
RACF and DB2
RACF and IMS
RACF and ICSF
RACF and z/OS UNIX
RACF support for NDS and Lotus Notes for z/OS
Administering application user identities
Adding application identity segments
Modifying user identity segments
Removing user identity segments
System considerations
Mapping profiles in the NOTELINK and NDSLINK classes
Authorizing applications to use identity mapping
Defining applications as RACF users
Permitting access to the IRR.RUSERMAP resource
Activating identity mapping
Considerations for application user names
Storing encryption keys using the KEYSMSTR class
Steps for storing a key in a KEYSMSTR profile
Defining delegated resources
Steps for authorizing daemons to use delegated resources
Administering the dynamic class descriptor table (CDT)
Overview of the class descriptor table
Restrictions for applications and vendor products
Using the dynamic CDT
Profiles in the CDT class
Adding a dynamic class with a unique POSIT value
Steps for adding a dynamic class with a unique POSIT value
Adding a dynamic class that shares a POSIT value
Processing options that are controlled by a shared POSIT value
Rules about disallowing generics when sharing a POSIT value
Steps for adding a dynamic class with a shared POSIT value
Changing a POSIT value for a dynamic class
Steps for changing a POSIT value of an existing dynamic class
Guidelines for changing dynamic CDT entries
Defining a dynamic class with generics disallowed
Steps for changing a dynamic class to disallow generic profiles
Deleting a class from the dynamic CDT
Steps for deleting a dynamic CDT class
Disabling the dynamic CDT
Re-enabling a previously defined dynamic class
Steps to re-enable a previously defined dynamic class
Migrating to the dynamic CDT
Sysplex considerations for the dynamic CDT
Shared system considerations for the dynamic CDT
RRSF considerations for the dynamic CDT
Protecting programs
Overview of protecting programs
Program security modes
Simple program protection in BASIC or ENHANCED mode
When a controlled program has an alias name
Program control by SMFID in BASIC or ENHANCED mode
Maintaining a clean environment in BASIC or ENHANCED mode
More complex controls: Using EXECUTE access for programs or libraries (BASIC mode)
Migrating from BASIC to ENHANCED program security mode
Protecting program libraries
Program access to data sets (PADS) in BASIC mode
Choosing between the PADCHK and NOPADCHK operands
Program access to SERVAUTH resources in BASIC or ENHANCED mode
ENHANCED program security mode
Program access to data sets (PADS) in ENHANCED mode
Using EXECUTE access for programs and libraries in ENHANCED mode
When to use MAIN or BASIC
Defining programs as MAIN or BASIC
How protection works for programs and PADS
How program control works
Informational messages for program control
Authorization checking for access control to load modules
Authorization checking for access control to data sets
Processing for execute-controlled libraries
Examples of controlling programs and using PADS
Examples of defining load modules as controlled programs
Example 1. Protecting programs without using PADS
Example 2. Protecting programs that are in several program libraries
Example 3. Using '******' as the volume serial number
Example 4. Omitting the volume serial number
Examples of setting up program access to data sets
Example of setting up an execute-controlled library
Example of setting up program control by system ID
Program signing and verification
Overview of program signing and verification
Terms to know
Related information
Task roadmap for program signing and signature verification
Enabling a user to sign a program
Overview of enabling a user to sign a program
Certificate objects required for program signing
Details about defining IRR.PROGRAM.SIGNING profiles
Format of the profile name
Format of the APPLDATA value
Task roadmap for enabling a user to sign a program
Steps for enabling a user to sign a program using RACF code-signing certificates
Steps for enabling a user to sign a program using external code-signing certificates
Enabling RACF to verify signed programs
Overview of enabling RACF to verify signed programs
Initializing RACF program signature verification
Certificate objects required for verifying signed programs
Details about defining the IRR.PROGRAM.SIGNATURE.VERIFICATION profile
Format of the APPLDATA value
Customizing the SIGVER segment of PROGRAM profiles
Delegating the authority for specifying signature verification options
Discovering if signed programs currently execute on your systems
Task roadmap for enabling RACF to verify signed programs
Steps for discovering if signed programs currently execute on your systems (optional)
Steps for preparing RACF to verify signed programs (one-time setup)
Steps for verifying a signed program
Operating considerations
Coordinating profile updates
RACF commands for flushing a VLF cache
Getting started with RACF (after first installing RACF)
Logging on as IBMUSER and checking initial conditions
Defining administrator user IDs for your own use
Defining at least one user ID to be used for emergencies only
Logging on as RACFADM, checking groups and users, and revoking IBMUSER
Defining the groups needed for the first users
Defining a system-wide auditor
Defining users and groups
Defining group administrators, group auditors, and data managers
Protecting system data sets
Setting RACF options
Using the data security monitor (DSMON)
JCL parameters related to RACF
Restarting jobs
Bypassing password protection
Controlling access to RACF passwords
Authorizing only RACF-defined users to access RACF-protected resources
Using the TSO or ISPF editor
Service by IBM personnel
Failsoft processing
Failsoft processing with tape data sets
Considerations for RACF databases
Backup RACF database
Multiple data set support
Protecting the RACF database
Using RACF data sharing
Sharing data without sharing a RACF database
Number of resident data blocks
Working with the RACF database
Using the RACF database unload utility (IRRDBU00)
Diagnosis
Performance considerations
Operational considerations
Using IRRDBU00 with universal groups
Running the database unload utility
Input data set specification
IRRDBU00 example
Allowable parameters
The NOLOCKINPUT parameter
The LOCKINPUT parameter
The UNLOCKINPUT parameter
Using the database unload utility output effectively
Sort/merge programs
Using database unload utility output with the DFSORT ICETOOL
The report format
The record selection criteria
Using the RACFICE procedure to generate reports
Reports based on the database unload utility (IRRDBU00)
Creating customized reports
Creating a RACFVARS member report
Relational databases
Using the database unload utility output with DB2
Steps for using IRRDBU00 output with DB2
Creating a DB2 database for unloaded RACF data
Creating a DB2 table space
Creating the DB2 tables
Creating the DB2 indexes
Loading the DB2 tables
Reorganizing the unloaded RACF data in the DB2 database
Creating optimization statistics for the DB2 database
Deleting data from the DB2 database
DB2 table names
Comparing LISTUSER and LISTGRP output with IRRDBU00
Processing password intervals for protected users
Processing user revocation information
Database unload utility output samples
SQL query
QMF form
Report output
Using the RACF remove ID (IRRRID00) utility
IRRRID00 job control statements
Searching for all residual references
Searching for a list of IDs
Specifying a replacement ID
IRRRID00 return codes
Finding residual IDs
Running IRRRID00 with an empty SYSIN
Creating commands to remove IDs
Running IRRRID00 with data in SYSIN
Using IRRRID00 output
Replacement IDs
EXIT commands
Ampersand characters
Lengthy commands
Sample output
Running the output CLIST as a batch job
Processing profiles and resources
What IRRRID00 verifies
Database objects that are not processed
Processing a hierarchy of groups
Processing global profiles
Processing general resource profiles
Processing MEMBER data
Processing universal groups
IRRRID00 and Tivoli
Time required to run IRRRID00
The RACF remote sharing facility (RRSF)
The RRSF network
RRSF nodes
Local and remote RRSF nodes
Single-system and multisystem RRSF nodes
Operating in local and remote mode
Establishing user ID associations in the RRSF network
Types of user ID associations
Password synchronization
Message processing
Output capturing
User ID associations
Defining user ID associations
Defining user ID associations for your own user ID
With password synchronization
Without password synchronization
Defining user ID associations for other users
With password synchronization
Without password synchronization
Managed user ID associations
Approving user ID associations
Deleting user ID associations
Listing user ID associations
Command direction
Commands that are not eligible for command direction
Directing commands using the AT option
Directing commands on the local node
Directing commands on a remote node
Capturing command output
Directing commands using the ONLYAT option
Order considerations for directed commands and application updates
Directing commands to incompatible systems
Automatic direction
Preparing to use automatic direction
Output processing
Effects of using OUTPUT and NOTIFY
Output data set names for automatic direction
Notify messages for automatic direction
Sample output from automatic direction
Interactions among automatic direction functions and password synchronization
Interaction between automatic direction of commands and automatic direction of application updates
Interaction between automatic password direction and automatic direction of application updates
Interaction among password synchronization, automatic direction of commands, and automatic password direction
RRSF considerations for mixed-case passwords
Using automatic direction of commands
Commands not eligible for automatic direction of commands
How automatic direction of commands works
Automatic command direction authorization checks
The AT option and automatic command direction
Summary of rules for automatic direction of commands
Using automatic direction of application updates
Summary of rules for automatic direction of application updates
Considerations for the DATASET class
RRSF considerations for digital certificates
Suppression of private key information propagation
Guidelines for propagation of command and application updates
RRSF considerations for distributed identity filters
Using automatic password direction
Relationship to user ID associations
Synchronizing passwords and password phrases
RRSF considerations for JES security
RRSF considerations for z/OS Network Authentication Service
Synchronizing database profiles
Establishing RACF security for RRSF TCP/IP connections
Task roadmap for establishing RACF security for RRSF TCP/IP connections
Before you begin
Administer profiles in the SERVAUTH class to enable RRSF to use TCP/IP node connections
Steps for administering SERVAUTH class profiles to enable RRSF to use TCP/IP node connections
Implementing an RRSF trust policy
Before you begin
Using the same, self-signed certificate for all RRSF nodes
Steps for using the same, self-signed certificate for all RRSF nodes
Using an internal CA to sign a server certificate for each RRSF node
Steps for using an internal CA to sign a server certificate for each RRSF node
Considerations when using an external CA
Providing security for JES
Planning for security
How JES and RACF work together
Defining JES as a RACF started procedure
Forcing batch users to identify themselves to RACF
Support for execution batch monitor (XBM) (JES2 Only)
Defining and grouping operators
JES user ID early verification
User ID propagation when jobs are submitted
Allowing surrogate job submission
Controlling user ID propagation in a local environment
Using protected user IDs for batch jobs
Propagating protected user IDs
Using protected user IDs for surrogate job submission
Where NJE jobs are verified
How SYSOUT requests are verified
Security labels for JES resources
Controlling access to data sets JES uses
Controlling input to your system
How RACF validates users
Propagating security information
Propagating security information across a network
Controlling the use of job names
Controlling who can submit jobs by job name
Controlling who can cancel jobs by job name
Controlling job class usage
Controlling who can modify job attributes using the Job Modify SSI 85
Allowing a TSO user to cancel all jobs originating from local nodes
Surrogate job submission
Authorizing the use of input sources
Authorizing network jobs and SYSOUT (NJE)
Authorizing inbound work
Understanding NODES profiles
Setting up NODES profiles
Unknown, blank, and undefined security labels
Learning which NODES profiles are used
Understanding mixed security environments
Authorizing jobs
Controlling user ID propagation in an NJE environment
Using submitter information during job verification
Authorizing SYSOUT
Validating SYSOUT based on the submitter
Translating security information
Example: Simple NJE user translation
Example: Simple NJE user translation using &SUSER
Example: Trusted, semitrusted, and untrusted Nodes
Understanding default user IDs
How JES sends security information
Defining profiles in the NODES class
Defining nodes as local input sources
Authorizing outbound work
Using security labels to control writers
Controlling access to spool data
Protecting data sets on spools
Defining profiles for SYSIN and SYSOUT data sets
Letting users create their own JESSPOOL profiles
Protecting JESNEWS
Protecting JESNEWS for JES2
Protecting JESNEWS for JES3
Protecting trace data sets (JES2 only)
Protecting SYSLOG
Spool offload considerations (JES2 only)
Offloading data
Reloading data
How RACF affects jobs dumped from and restored to spool (JES3 only)
Dumping jobs
Restoring jobs
Authorizing console access
MCS consoles
Remote workstations (RJP/RJE consoles)
JES3 consoles
Controlling where output can be processed
Authorizing the use of your installation's printers
Authorizing the use of operator commands
Commands from RJE work stations
Commands from NJE nodes
Who authorizes commands when RACF is active
RACF and Storage Management Subsystem (SMS)
Overview of RACF and SMS
RACF general resource classes for protecting SMS classes
Controlling the use of SMS classes
Refreshing profiles for SETROPTS RACLIST processing for MGMTCLAS and STORCLAS
DFP segment in RACF profiles
DFP segment in user and group profiles
Choosing different default values for DFP constructs
DFP segment in data set profiles
How RACF uses the information in the DFP segments
Determining the owner of an SMS-managed data set
Retrieving default DFP information from user and group profiles
Authorization checking for protected SMS classes
Controlling access to the DFP segment
Activating the FIELD class
Defining profiles for field-level access checking
Controlling access to all fields in the DFP segment of user profiles
Controlling access to a specific field in the DFP segment of user profiles
Controlling access to all fields in the DFP segment of group profiles
Controlling access to a specific field in the DFP segment of group profiles
Controlling access to all fields in the DFP segment of data set profiles
Controlling access to a specific field in the DFP segment of data set profiles
Creating the access list for field-level access checking
Controlling the use of other SMS resources
RACF and TSO/E
TSO/E administration considerations
Protecting TSO resources
Authorization checking for protected TSO resources
Field-level access checking for TSO
Controlling the use of the TSO SEND command
Restricting spool access by TSO users
TSO commands that relate to RACF
Using TSO when RACF is deactivated
RACF and z/OS UNIX
Defining group identifiers (GIDs)
Defining user identifiers (UIDs)
Listing UIDs and GIDs
Superuser authority
Setting z/OS UNIX user limits
Protected user IDs
Controlling the use of shared UNIX identities
Sharing IDs
Defining the SHARED.IDS profile in the UNIXPRIV class
Using the SHARED operand
Enabling automatic assignment of unique UNIX identities
Automatically assigning unique IDs using RACF commands
Setting up the BPX.NEXT.USER profile
Automatically assigning unique IDs through UNIX services
Steps for automatically assigning unique IDs through UNIX services
RRSF considerations for automatic ID assignment
Special RRSF considerations for automatic unique IDs
z/OS UNIX performance considerations
Converting to stage 3 of application identity mapping
Using the UNIXMAP class and Virtual Lookaside Facility (VLF)
Activating the UNIXMAP class
How to initially populate the UNIXMAP class
Using UNIXMAP class profiles to map UIDs and GIDs
Using UNIXPRIV class profiles to manage z/OS UNIX privileges
Example of authorizing superuser privileges
Allowing z/OS UNIX users to change file ownerships
Using the CHOWN.UNRESTRICTED profile
Configuring the group owner for new UNIX files
Using the FILE.GROUPOWNER.SETGID profile
Steps for setting up the FILE.GROUPOWNER.SETGID profile
Protecting file system resources
Administering ACLs
Controlling access to file system resources for restricted users
Steps for controlling access to file system resources for restricted users
Overriding SUPERUSER.FILESYS authority with ACLs
Steps for overriding SUPERUSER.FILESYS authority with ACLs
Restricting access to a zFS file system
Steps for restricting access to a zFS file system
Restricting access to all zFS file systems
z/OS UNIX application considerations
Threads and security
Application services and security
Application authorization service
Restrictions of RACF client ACEE support
Auditing z/OS UNIX security events
RACF and digital certificates
Overview of digital certificates
Public and private keys
X.509 certificates
Certificate hierarchies
Public key algorithms
Certificate formats
Single binary certificate
PKCS #7 binary certificate package
PKCS #12 binary certificate package
Base64-encoded certificates
Using certificates with z/OS client/server applications
The secure handshake
Planning your certificate environment
Setting up your certificate environment
Enabling client login using certificates
Certificate mapping
One-to-one certificate to user ID association
Certificate name filtering
The hostIdMappings certificate extensions
Using RACF to manage digital certificates
Size considerations for public and private keys
Using the RACDCERT command to administer certificates
Sharing the RACF database with a z/VM system
Controlling the use of the RACDCERT command
Examples of controlling the use of the RACDCERT command
Examples of adding digital certificate information
Examples of listing digital certificate information
Examples of listing digital certificate chain information
Examples of checking digital certificate information
Examples of altering digital certificate information
Using the TRUST option
Using the NOTRUST option
Examples of deleting digital certificates
Deleting a user certificate
Deleting a CA or SITE certificate
DIGTCERT general resource profiles
DIGTCERT profile names
Ownership of DIGTCERT profiles
RACLISTing the DIGTCERT class
RACF and key rings
DIGTRING general resource profiles
Sharing a private key in a key ring
Using a virtual key ring
Example using the z/OS FTP client with TLS
RACF and z/OS PKCS #11 tokens
Creating and populating PKCS #11 tokens
Steps for creating and populating tokens
Certificate name filtering
Interpreting the X.500 directory information tree
Creating certificate name filters
Assigning user IDs to certificate name filters
Activating certificate name filtering
DIGTNMAP general resource profiles
Types of certificate name filters
Issuer's name filter
Subject's name filter
Examples
Details about processing subject's name filters
Subject's and issuer's name filter
Example
Details for processing subject's and issuer's name filters
How RACF processes certificate name filters
Using an existing certificate as a model
Excluding a certificate by using the NOTRUST option
Mapping multiple user IDs using additional criteria
RACLISTing the DIGTCRIT class
Using application criteria
Example
Using system criteria
Using multiple criteria
Example
Details for processing an issuer's name filter with multiple criteria
Activating additional criteria
Automatic registration of digital certificates
ICSF considerations for keys in the PKA key data set (PKDS)
Using a PCI cryptographic coprocessor to generate private keys
Migrating an ICSF private key in the PKDS from one system to another
Steps for migrating a certificate and its ICSF private key in the PKDS
The irrcerta, irrmulti, and irrsitec user IDs
Renewing an expiring certificate
Renewing a certificate with the same private key
Steps for renewing a certificate issued by an external CA
Steps for renewing a certificate issued by a local CA
Steps for renewing a self-signed certificate in RACF
Renewing (rekeying) a certificate with a new private key
Steps for rekeying a certificate issued by an external CA
Steps for rekeying a certificate issued by a local CA
Steps for rekeying a self-signed certificate in RACF
Supplied digital certificates
Steps to begin using a supplied CA certificate
Implementation scenarios
Scenario 1: Secure server with a certificate signed by a certificate authority
Scenario 2: Secure server with a locally signed certificate
Scenario 3: Migrating an ikeyman or gskkyman certificate
Scenario 4: Secure server-to-server session enablement
Scenario 5: Creating client browser certificates with a locally signed certificate
Scenario 6a: Enabling secure outbound FTP using a shared virtual key ring
Scenario 6b: Enabling secure outbound FTP using a shared real key ring
Scenario 7: Sharing one certificate among multiple servers
Scenario 8: Using the IBM Encryption Facility for z/OS
Controlling applications that invoke callable services
Authorizing applications
Defining applications as RACF users
Defining resources that control callable services
Activating your authorizations
initACEE (IRRSIA00) callable service
Registering user certificates
Deregistering user certificates
Replacing certificate-authority certificates
Using a hostIdMappings extension
Administering profiles in the SERVAUTH class
Using the HIGHTRUST option
R_admin (IRRSEQ00) callable service
R_auditx (IRRSAX00) callable service
R_cacheserv (IRRSCH00) callable service
R_datalib (IRRSDL00 or IRRSDL64) callable service
Extracting private keys
Managing certificate serial numbers
User certificates
CERTAUTH and SITE certificates
R_dcekey (IRRSDK00) callable service
R_GetInfo (IRRSGI00) callable service
R_dceruid (IRRSUD00) callable service
R_PKIServ (IRRSPX00) callable service
Authorizing end-user functions
Authorizing administrative functions
R_proxyserv (IRRSPY00) callable service
R_ticketserv (IRRSPK00) callable service
Permitting access to the IRR.RTICKETSERV resource
RACF and the z/OS LDAP server
Defining an LDAPBIND class profile
LDAP event notification
LDAP change log entries
LDAP notification occurs in real-time only
RRSF considerations for applications that exploit enveloping
Activating LDAP change notification
Disabling LDAP change notification
Password and password phrase enveloping
Overview of enveloping
Resources that control enveloping
Signing hash algorithm and encryption strength used to create the envelope
The IRR.PWENV.KEYRING key ring
Controlling envelope retrieval
The NOTIFY.LDAP.USER resource
Setting up enveloping
Preparing the address space of the RACF subsystem
Generating a local CA certificate using RACF as the CA
Generating an X.509 V3 certificate for the RACF address space
Steps for generating a certificate and private key for the RACF address space
Generating an X.509 V3 certificate for the envelope recipient
Copying the certificates to the host system (if generated elsewhere)
Exporting RACF's certificate to the recipient key database
Authorizing the envelope recipient
Activating enveloping
Disabling enveloping
Steps for disabling enveloping and deleting existing envelopes
Planning considerations for heterogeneous password synchronization
Defining and using custom fields
Overview of custom fields
Task roadmap for defining and using custom fields
Defining a custom field and its field attributes
Profiles in the CFIELD class
CFIELD profile names
Steps for defining a custom field and its attributes
Activating a custom field
Steps for activating a custom field
Adding data to a custom field
Steps for adding data to a custom field
Authorizing users to define custom fields
Steps for authorizing users to define custom fields
Authorizing users to update data in a custom field
Authorizing users for the ISPF panels to update custom field data
Steps for authorizing users to update data in a custom field
Changing attributes of an existing custom field
When you need to change the data type
Steps for changing the data type
When you need to change the MAXLENGTH of a numeric field
Steps for changing the MAXLENGTH of a numeric field
Removing a custom field
Steps for removing a custom field
Common errors when defining and using custom fields
Errors defining a custom field
Errors adding data to a custom field
Specifying an unacceptable data value
Specifying an ambiguous custom field keyword
Specifying an undefined custom field keyword
Specifying a data value that is too long
Failing due to the custom field validation exit
RRSF considerations for custom fields
Authorizing help desk functions
Delegating the authority to list user information
Delegating the authority to list user information in any user profile
Steps for delegating the authority to list user information in any user profile
Delegating the authority to list user information in only selected user profiles
Delegating the authority to list user information by owner
Steps for delegating the authority to list user information by owner
Delegating the authority to list user information by group tree
Scope of a group tree
Steps for delegating the authority to list user information by group tree
Excluding selected user profiles
Steps for excluding selected user profiles
Delegating the authority to reset passwords and password phrases
Levels of authority
Delegating the authority to reset the password for any user
Steps for delegating the authority to reset the password for any user
Delegating the authority to reset passwords for only selected users
Delegating the authority to reset passwords by owner
Steps for delegating the authority to reset passwords by owner
Delegating the authority to reset passwords by group tree
Scope of a group tree
Steps for delegating the authority to reset passwords by group tree
Excluding selected users
Steps for excluding selected users
Delegating both by owner and by group tree
Examples of delegating help desk authorities
Delegating help desk authorities by owner
Delegating help desk authorities by group tree
Delegating help desk authorities for all users, excluding selected users
Distributed identity filters
Overview of distributed identity filters
What is a distributed identity filter?
Applications that support distributed identity filters
Overview of the RACMAP command
Profiles in the IDIDMAP class
RACMAP command updates to user profiles
DELUSER processing with distributed identity filters
IRRRID00 considerations for distributed identity filters
Details about specifying user and registry names
The user name portion of the filter
The registry name portion of the filter
How RACF matches filter values
Using a one-to-one match
Using a many-to-one match
Details about searching for a filter that matches a user's DN
Adding a default RACMAP filter
Restrictions for UTF-8 data values
Defining a filter for a non-LDAP user name
Steps for defining a filter for a non-LDAP user name
Results for defining a filter for a non-LDAP user name
Defining a filter for an X.500 user identity
Steps for defining a filter for a full X.500 DN
Results for defining a filter for a full X.500 DN
Steps for defining a filter using selected RDNs
Results for defining a filter using selected RDNs
Deleting a distributed identity filter
Steps for deleting a distributed identity filter
Supplied RACF resource classes
Supplied resource classes for z/OS systems
Supplied resource classes for z/VM systems
Summary of RACF commands and authorities
Summary of commands and their functions
Summary of authorities and commands
The SPECIAL or group-SPECIAL attribute
The AUDITOR or group-AUDITOR attribute
The OPERATIONS or group-OPERATIONS attribute
The CLAUTH attribute
Group authority
Access authority
Profile ownership authority
Other authorities
Listings of RACF supplied certificates
Security for system data sets
Debugging problems in the RACF database
Checklist: Resolving problems when access is denied unexpectedly
Checklist: Resolving problems when access is allowed incorrectly
When changes to data set profiles take effect
Authorization checking for RACF-protected resources
When authorization checking takes place and why
Authorizing access to RACF-protected resources
Pictorial view of RACF authorization checking
Authorizing access to z/OS UNIX files and directories
Authorizing access to RACF-protected terminals
Authorizing access to consoles, JES input devices, APPC partner LUs, or IP addresses
Authorization checking for RACROUTE REQUEST=FASTAUTH requests
Authorizing access to RACF-protected applications
Security label authorization checking
Types of security label authorization checking
Authorization summary for SETROPTS MLS(FAILURES) and MLS(WARNINGS)
Authorization summary for SETROPTS NOMLS
Authorization summary for SETROPTS MLACTIVE
Special access rule for SPECIAL users
Relationships among the SECLABEL class, SETROPTS MLS(FAILURES), SETROPTS MLACTIVE(FAILURES) and SETROPTS MLQUIET
Problems with user ID authentication
When logon or job initialization processing takes place and why
Logon/job initialization processing
Copyright IBM Corporation 1990, 2014