Setting up Program Control and PADS access

About this task

This information applies only if your live system uses RACF®.

The greatest level of security is achieved by making use of Program Access to Data Sets (PADS). Without PADS, users can use, for example, ISPF Browse to examine the RACF database, or even copy the database to a system where they can run in unrestricted mode. However, due to the way that RACF implements Conditional Access, this option is also the most cumbersome to use. As an alternative to PADS, you can exploit the zSecure Server in self-connect mode to access the security database. See Use of the zSecure Server to limit the need for access to the security database.

You can combine PADS access, or access through the zSecure Server, with the use of the CKR.READALL resource to override restricted mode for selected (or all) users.

If you want to set up zSecure for operation using Conditional Access or PADS mode, you must define profiles in the program class, and activate RACF program control. Many installations perform most of these steps as part of the implementation of z/OS® UNIX System Services.

Procedure

Use the following steps to set up Conditional Access or PADS mode:

  1. Acquaint yourself with the principles of Program Control and Program Access to Data sets, as documented in the RACF Security Administrator's Guide (SA23-2289 for z/OS RACF).
  2. Determine if your installation is using RACF Program Control in BASIC mode or in ENHANCED mode.
    • If your system uses BASIC Program Control mode, you should add the required PROGRAM profiles with a command like: 
      RDEF PROGRAM CKR* ADDMEM('CKR.SCKRLOAD'//NOPADCHK)
    • If your system uses ENHANCED Program Control mode (available as of z/OS 1.4), you can add the required PROGRAM profiles with commands like: 
      RDEF PROGRAM CKR* ADDMEM('CKR.SCKRLOAD'//NOPADCHK) APPLDATA('MAIN')
RALT PROGRAM **   ADDMEM('CKR.SCKRLOAD'//NOPADCHK)

    If you use different load libraries (for example, you might have created multiple load libraries for multiple versions of the Site module, and concatenate these to your main zSecure load library), you must specify ADDMEM for each of the load libraries that you need to have program-controlled.

    If you have set up alias names for load modules, also create profiles that cover the alias names.

    On older systems, the volume serial number must be inserted between the slashes (//) in the previous example commands. This can lead to problems if your data set is located on an SMS managed volume. In that case, to prevent SMS from moving the data set to a different volume, ensure that the data set is assigned to storage class that has the Guaranteed Space attribute (or on a non-SMS managed volume).

    If you intend to use zSecure interactively via TSO/ISPF, also add program profiles for some other executable modules of zSecure. In this example, ** is used to describe all relevant load modules. Alternatively, you can add the entire library to the definition of program profile * or ** as in the example.

  3. Add an authorization group to be used for users authorized to access the database in PADS mode.
  4. Add a conditional access list to the profile describing your RACF databases. You might restrict users to using the back-up database; you might first need to add a profile for this.
    A sample command is: 
       PE 'databaseprofile' WHEN(PROGRAM(CKRCARLA)) ID(authgroup)
  5. Ensure that program control is active by issuing SETROPTS LIST, check that the output specifies WHEN(PROGRAM). If it does not, schedule introduction of program control. (Review the current contents of the PROGRAM class first.)
    Program control is activated as follows: 
       SETROPTS WHEN(PROGRAM)
  6. You might need to add a program profile describing operating system modules, depending on how much your site moved from link list to LPA. (For LPA modules you do not need program profiles.)
    Generally the commands issued are: 
       RDEF PROGRAM * ADDMEM('SYS1.LINKLIB'//NOPADCHK) UACC(READ)
   RALT PROGRAM * ADDMEM('SYS1.CMDLIB'//NOPADCHK)
   RALT PROGRAM * ADDMEM('SYS1.MIGLIB'//NOPADCHK)
   RALT PROGRAM * ADDMEM('SYS1.CSSLIB'//NOPADCHK)
   RALT PROGRAM * ADDMEM('cee.version.SCEERUN'//NOPADCHK)
   RALT PROGRAM * ADDMEM('TCPIP.SEZALINK'//NOPADCHK)
   RALT PROGRAM * ADDMEM('TCPIP.SEZATCP'//NOPADCHK)
    If you want to run interactively in PADS mode, you must also add the ISPF and PDF link list libraries. When you load a dirty (non-controlled) module, you probably need to log on again for your next try. Sometimes, leaving ISPF and invoking ISPF through TSOEXEC can be sufficient to regain a controlled environment. 
    RALT PROGRAM * ADDMEM('CKR.SCKRLOAD'//NOPADCHK)    /* IBM Security zSecure */
RALT PROGRAM * ADDMEM('FAN130.SEAGLMD'//NOPADCHK)           /* REXX     */
RALT PROGRAM * ADDMEM('ISP.SISPLOAD'//NOPADCHK)             /* ISPF/PDF */

    If you define program * or ** for all modules in SYS1.LINKLIB, also consider creation of two more specific profiles for the programs ICHDSM00 and IRRDPI00 with a reduced UACC. These two programs check the existence of a matching program profile to allow users to execute the program. If no program profile exists, only auditors are authorized to execute ICHDSM00 (DSMON). If, however, a generic profile * has been defined with a UACC(READ) all users are authorized to execute ICHDSM00. Therefore, it is a good idea to also issue the following commands:

       RDEF PROGRAM ICHDSM00 UACC(NONE) ADDMEM('SYS1.LINKLIB'/'******'/NOPADCHK)
   RDEF PROGRAM IRRDPI00 UACC(NONE) ADDMEM('SYS1.LINKLIB'/'******'/NOPADCHK)
   PE ICHDSM00 CLASS(PROGRAM) ID(your-auditors) ACCESS(READ)
   PE IRRDPI00 CLASS(PROGRAM) ID(your-dynamic-parse-initialization-userid) ACCESS(READ)

    For more information about these commands, see the section about Program Control in the RACF Security Administrator's Guide.

  7. To activate a change to any PROGRAM profile in the system, you must issue: 
       SETROPTS REFRESH WHEN(PROGRAM)
  8. First try PADS access through batch jobs. If this works, you can move on to interactive access. First try to get it working with a minimal, clean environment: issue the CKR command (or your local copy) immediately after logging on to TSO, before you start ISPF. When invoked in this way, CKR frees file ISPLLIB to be sure to prevent dirty modules, and invokes the program as the primary ISPF application through the TSOEXEC command.

    You must be aware that other ISPF applications (like SDSF) can create an environment that cannot be cleaned up even with the TSOEXEC command. In this situation, you might have to log on again. After you ensure that it works in the cleanest case, you can try to add back your own ISPF environment piece by piece to get a usable work environment and to see where you start getting 913 or 306 abends.

    Each intercepted 913 abend produces a debugging display of the Job Pack Queue module in the SYSPRINT file. (You can review this with the SYSPRINT primary command under ISPF.)

    You can also use the RACF ICH420I messages to determine the cause for the dirty environment.