STEP
1: Preparation |
Determine which systems will be part
of the environment and how they will be related. - Decide on a unique RRSF logical node name for each node.
- Find out the VTAM® LU name
for each node for which you are using APPC as the protocol.
- Find out the TCP/IP hostname or the IP address for each node for
which you are using TCP/IP as the protocol.
- Decide which nodes will be single-system nodes, and which will
be multisystem nodes.
- Decide what mode each RRSF node will operate in, remote or local.
- For each RRSF node that is to operate in remote mode, decide which
RRSF nodes it will communicate with.
|
The RRSF network |
Decide which RRSF functions you want
to use on each RRSF node, and how you want to use them. |
Customizing a remote sharing environment |
Ensure that all systems to be in
the environment have enabled the RACF® component
of the z/OS Security
Server. |
System prerequisites |
Evaluate whether you require cryptographic
teleprocessing support, and implement this if required. |
Encryption and masking of data |
Ensure that the RACF template versions are compatible on all
systems. |
RACF template version considerations |
Ensure that the RACF dynamic parse versions are compatible on
all systems. |
RACF dynamic parse version considerations |
Ensure that the SETROPTS option settings
are compatible on all systems. |
SETROPTS options considerations |
Ensure that installation exits are
compatible on all systems. |
Installation exit considerations |
Ensure that password authentication
algorithms are sufficient on all systems. |
Installation exit considerations |
If you are using APPC/MVS, configure VTAM and APPC/MVS (for remote mode
only) - Define NOSCHED LUs for RRSF nodes.
- Specify VERIFY=REQUIRED on APPC LU definitions in SYS1.VTAMLST.
- Create RACF profiles to
protect APPC resources, specifying CONVSEC(ALREADYV) on the RDEFINEs.
- Activate the APPCLU class, if not already activated.
- Protect the ACBNAME used for RRSF.
- Restrict access to the LU on the local system.
- Define APPCPORT profiles to restrict access to LUs from remote
systems.
- Use APPCSERV profiles to protect APPC server access to the LU
name associated with RRSF.
- Activate the APPCPORT, APPCSERV, and APPCTP classes if not already
active.
- Control database token maintenance.
|
Setting up your system to use APPC/MVS and VTAM |
If you are using TCP/IP, set up TCP/IP and AT-TLS - Protect the RRSF listener port
- Set up AT-TLS
- Prevent RACF from attempting
remote communications before the AT-TLS policy is available
- Ensure that the RACF subsystem
address space can access the TCP/IP stack
- Allow the subsystem address space to use z/OS® UNIX socket
APIs
|
Setting up your system to use TCP/IP |
Determine whether any of the systems
in the environment have installation-provided code to update a remote
database, and if so determine whether you need to remove the code. |
Considerations for installation-provided code |
Determine whether installation exits
need to know which address space they've been given control in, and
update them if necessary. |
Installation exit considerations |
If you are planning to have RACF maintain synchronization of
any profiles between databases, synchronize those profiles. |
Synchronizing database profiles |
Create or modify the JCL to activate
the RACF subsystem. Make sure
the user ID for the RACF subsystem
can access the RRSF resources. If you plan to use TCP/IP, make sure
that the user ID for the RACF subsystem
has a UID, and that its default group has a GID. |
RACF subsystem address space considerations |
STEP
2: Configuration and customization |
Configure the RRSF network. On each
node, create a RACF parameter
library containing the configuration statements to configure the network
from that node's point of view. |
Configuring an RRSF network |
Ensure that the RACF parameter library is protected, and that
the user ID assigned to the RACF subsystem
has authority to it. |
The RACF parameter library |
Ensure that the workspace data sets
are protected, and that the user ID assigned to the RACF subsystem has authority to them. |
The discussion of the WORKSPACE keyword
in Defining RRSF nodes to RACF |
Customize the RRSF environment by
defining RRSFDATA profiles. |
Customizing a remote sharing environment |
Activate the RRSFDATA class on each
RRSF node. |
Customizing a remote sharing environment |
STEP
3: Enabling RACF communications |
Restart the RACF subsystem on each RRSF node, to process
the configuration statements in the node's RACF parameter library. |
RACF subsystem address space considerations |