RACF Health Check Updates for ICSF
SueMarcotte 120000ACP0 Visits (5222)
RACF recently introduced new health check function for ICSF via APAR OA44696. This APAR introduces two new class active checks, RACF_CSFKEYS_ACTIVE and RACF
To ensure no one has direct access to your KDS datasets, ICSF recommends you protect your KDS dataset name resource in the DATASET class. If a dataset profile is used, as opposed to using the PROTECTALL(FAIL) option for example, the profile should have a UACC of NONE.
Note that access to the keys within the KDS datasets can be obtained via the ICSF API calls or the ICSF ISPF interface. As an additional layer of security, the CSFKEYS general resource class can be setup to protect individual keys and the CSFSERV general resource class can be setup to protect the ICSF API calls and the ICSF ISPF interface.
In our environment, when we did not have the KDS datasets appropriately protected, the new ICSF Dataset Report in the RACF
S Data Set Name
Notice the E in the S column denotes that there is an Exception for this dataset and a UACC of Read is displayed.
After we created the RACF dataset profiles with a UACC of NONE, the ICSF Dataset Report in the RACF
S Data Set Name
Note that there is no longer an E for an Exception in the S column and the UACC is now None.
The ICSF System Programmer’s Guide, Chapter 2 Installation, Initialization and Customization, in the sections: Creating the CKDS, Creating the PKDS and Creating the TKDS will be updated to inform system programmers how to appropriately protect the KDS datasets. For additional information on the setup of the CSFKEYS and CSFSERV general resource classes, please see the ICSF Administrator’s Guide, Chapter 4. Using RACF to Protect Keys and Services.