Defining a security class for UMS
This section covers the steps to define IZP class for SAF and migrate them to a different POSIT number.
Defining the SAF IZP class
If you want to create an IZP class before running the IZPGENER JCL or do not want to use the IZP class definition JCL created by IZPGENER, you need to define the SAF IZP class for the RACF security manager.
- Create the SAF IZP class for RACF security
manager:
RDEF CDT IZP UACC(NONE) RALT CDT IZP CDTINFO(POSIT(608)) RALT CDT IZP CDTINFO(RACLIST(ALLOWED)) RALT CDT IZP CDTINFO(MAXLENGTH(246)) RALT CDT IZP CDTINFO(FIRST(ALPHA)) RALT CDT IZP CDTINFO(OTHER(ALPHA NUMERIC SPECIAL)) SETR RACLIST(CDT) REFRESH SETR CLASSACT(IZP) GENERIC(IZP) RACLIST(IZP)
- For ACF2 commands, refer to SMP/E install data set member SIZPCUSA(IZPB1A).
- For TSS, refer to SMP/E install data set member SIZPCUST(IZPB1T).
Migrating to a different POSIT number
If you have already run the security JCLs, you can complete the below steps to migrate to a different POSIT number.
The default POSIT number specified by IBM is 608. Identify the new
POSIT number required for this procedure.
- Execute the following command to list the SETROPTS options for all
classes:SETROPTS
LIST
Record all active system options for the IZP class.SETROPTS LIST - Record the current POSIT value of the IZP class. Run the following command
to list the POSIT
value:
RLIST CDT IZP CDTINFO NORACF - Run the following command to change the POSIT
number:
Ignore theRALTER CDT IZP CDTINFO(POSIT(60*8*))IRR52190Imessage that is issued byRALTER. - Run the following command to refresh the CDT class on all systems sharing
the RACF database that will use the IZP
class:
SETROPTS RACLIST(CDT) REFRESHIgnore the following
ICH14079Imessage that is issued bySETROPTS:ICH14079I RACF detected an error in the dynamic class descriptor table entry IZP, error code 08.This message will also be issued during IPL on any system with the PTF for z/OS 2.5 and above, until step
10is performed. These IPL messages can be ignored. - Activate the desired
SETROPTSoptions. Using theSETROPTS LISToutput from step 1 as reference, assuming for this example thatSETROPTSoptionsCLASSACT,RACLIST,GENERIC, andGENCMDwere previously active for the IZP class, run the following command:SETROPTS CLASSACT(IZP) RACLIST(IZP) GENERIC(IZP) GENCMD(IZP) - Examine all dynamic and static CDT entries to see if any other existing class shares the previous POSIT value of the IZP class. If another existing class shares the current POSIT value, then continue at step 10. If no other existing class shares the previous POSIT value, continue with step 7 to ensure that any new class will not have unexpected options if you add a new class using that POSIT value in the future.
- Add a new, unique, temporary dynamic class and assign it the previous POSIT
value of the IZP class. For example, if the class name
$TEMPCLSis not in use, and the previous POSIT value of the IZP class was200, then run the following commands:RDEFINE CDT $TEMPCLS CDTINFO(POSIT(200)) SETROPTS RACLIST(CDT) REFRESH - Deactivate the
SETROPTSsettings that you recorded in step 1. For example, if theSETROPTSoptionsCLASSACT,RACLIST,GENERICandGENCMDwere active for the IZP class, you can issue the following command to deactivate those options.SETROPTS NOCLASSACT($TEMPCLS) NORACLIST($TEMPCLS) NOGENERIC($TEMPCLS) NOGENCMD($TEMPCLS) - Delete the temporary class by running the following
commands:
RDELETE CDT $TEMPCLS SETROPTS RACLIST(CDT) REFRESH - Once all of the systems sharing the RACF database are loaded with the PTF
for z/OS 2.5 and above, the installation-defined dynamic version of the IZP
class can be deleted. Delete the CDT class profile which defines the IZP
class using the
commands:
RDELETE CDT IZP SETROPTS RACLIST(CDT) REFRESHImportant: Do not delete the installation-defined dynamic class until all of the systems sharing the RACF database have been loaded with the PTF for z/OS 2.5 and above. If you are propagating changes to the CDT class using the RACF remote sharing facility (RRSF), then this also applies to systems on remote RRSF nodes.