z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Defining an RRSF environment

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

Table 1 summarizes the tasks involved in defining an RRSF environment. Most of these tasks are usually performed by a system programmer, some might be performed by a security administrator, some might be performed by a network administrator, and some might be performed by all of these team members working together.

Table 1. Defining an RRSF environment—summary of tasks. Tasks that are not numbered can generally be done in any order.
Task For more information, refer to …
STEP 1: Preparation
Determine which systems will be part of the environment and how they will be related.
  • Decide on a unique RRSF logical node name for each node.
  • Find out the VTAM® LU name for each node for which you are using APPC as the protocol.
  • Find out the TCP/IP hostname or the IP address for each node for which you are using TCP/IP as the protocol.
  • Decide which nodes will be single-system nodes, and which will be multisystem nodes.
  • Decide what mode each RRSF node will operate in, remote or local.
  • For each RRSF node that is to operate in remote mode, decide which RRSF nodes it will communicate with.
 The RRSF network
Decide which RRSF functions you want to use on each RRSF node, and how you want to use them. Customizing a remote sharing environment
Ensure that all systems to be in the environment have enabled the RACF® component of the z/OS Security Server. System prerequisites
Evaluate whether you require cryptographic teleprocessing support, and implement this if required. Encryption and masking of data
Ensure that the RACF template versions are compatible on all systems. RACF template version considerations
Ensure that the RACF dynamic parse versions are compatible on all systems. RACF dynamic parse version considerations
Ensure that the SETROPTS option settings are compatible on all systems. SETROPTS options considerations
Ensure that installation exits are compatible on all systems. Installation exit considerations
Ensure that password authentication algorithms are sufficient on all systems. Installation exit considerations
If you are using APPC/MVS, configure VTAM and APPC/MVS (for remote mode only)
  • Define NOSCHED LUs for RRSF nodes.
  • Specify VERIFY=REQUIRED on APPC LU definitions in SYS1.VTAMLST.
  • Create RACF profiles to protect APPC resources, specifying CONVSEC(ALREADYV) on the RDEFINEs.
  • Activate the APPCLU class, if not already activated.
  • Protect the ACBNAME used for RRSF.
  • Restrict access to the LU on the local system.
  • Define APPCPORT profiles to restrict access to LUs from remote systems.
  • Use APPCSERV profiles to protect APPC server access to the LU name associated with RRSF.
  • Activate the APPCPORT, APPCSERV, and APPCTP classes if not already active.
  • Control database token maintenance.
 Setting up your system to use APPC/MVS and VTAM
If you are using TCP/IP, set up TCP/IP and AT-TLS
  • Protect the RRSF listener port
  • Set up AT-TLS
  • Prevent RACF from attempting remote communications before the AT-TLS policy is available
  • Ensure that the RACF subsystem address space can access the TCP/IP stack
  • Allow the subsystem address space to use z/OS® UNIX socket APIs
 Setting up your system to use TCP/IP
Determine whether any of the systems in the environment have installation-provided code to update a remote database, and if so determine whether you need to remove the code. Considerations for installation-provided code
Determine whether installation exits need to know which address space they've been given control in, and update them if necessary. Installation exit considerations
If you are planning to have RACF maintain synchronization of any profiles between databases, synchronize those profiles. Synchronizing database profiles
Create or modify the JCL to activate the RACF subsystem. Make sure the user ID for the RACF subsystem can access the RRSF resources. If you plan to use TCP/IP, make sure that the user ID for the RACF subsystem has a UID, and that its default group has a GID. RACF subsystem address space considerations
STEP 2: Configuration and customization
Configure the RRSF network. On each node, create a RACF parameter library containing the configuration statements to configure the network from that node's point of view. Configuring an RRSF network
Ensure that the RACF parameter library is protected, and that the user ID assigned to the RACF subsystem has authority to it. The RACF parameter library
Ensure that the workspace data sets are protected, and that the user ID assigned to the RACF subsystem has authority to them. The discussion of the WORKSPACE keyword in Defining RRSF nodes to RACF
Customize the RRSF environment by defining RRSFDATA profiles. Customizing a remote sharing environment
Activate the RRSFDATA class on each RRSF node. Customizing a remote sharing environment
STEP 3: Enabling RACF communications
Restart the RACF subsystem on each RRSF node, to process the configuration statements in the node's RACF parameter library. RACF subsystem address space considerations
Parent topic: RACF remote sharing facility (RRSF)

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014