z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Using the UNIXMAP class and Virtual Lookaside Facility (VLF)

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

It is important to use Virtual Lookaside Facility (VLF) and the UNIXMAP class to improve performance. You might also need to use VLF and UNIXMAP class if your system programmer has not yet converted your systems for stage 3 of application identity mapping. See z/OS Security Server RACF System Programmer's Guide for information about converting to stage 3 by running the IRRIRA00 conversion utility.

VLF (and the associated VLF classes IRRUMAP and IRRGMAP) and the UNIXMAP class are used to map UIDs to RACF® user IDs and GIDs to RACF group names. Both VLF and the UNIXMAP class can be either active or inactive. Table 1 shows how these states affect performance. It is recommended that both the UNIXMAP class and VLF remain active, and that the VLF classes IRRUMAP and IRRGMAP should be defined to VLF.

Table 1. The UNIXMAP class and VLF: Effects on performance for installations that have not reached stage 3 of application identity mapping
State Performance
Active
UNIXMAP class
Active
VLF
 Running in this state at all times will give you the best performance.
Active
UNIXMAP class
Inactive
VLF
 If VLF is inactive, requests for UID-to-user-ID mapping and GID-to-group-name mapping must access a UNIXMAP class profile in the database, which degrades performance. Running with VLF inactive should be done only when you need to stop VLF to make changes to it.
Inactive
UNIXMAP class
Active
VLF
 If the UNIXMAP class is inactive, requests for UID-to-user-ID mapping and GID-to-group-name mapping must search the entire RACF database when the UID or GID specified is not found in VLF. Running in this state degrades performance severely. The inactive state for the UNIXMAP class is provided as a migration aid. After migration is complete, you should never need to run with the UNIXMAP class inactive.
Inactive
UNIXMAP class
Inactive
VLF
 Running with both VLF inactive and the UNIXMAP class inactive causes requests for UID-to-user-ID mapping and GID-to-group-name mapping to default to searching the RACF database on each request. Running in this state significantly degrades performance of these functions. It could also affect other systems in a complex sharing the RACF database because of the increased I/O to the database. It is recommended that you never run in this state.

You have the option to cache additional z/OS UNIX security information in VLF. This capability allows RACF to avoid accessing the RACF database when called to create a security environment for z/OS UNIX users. To use the cached user security (USP) packet, the IRRSMAP class must be defined to VLF. For more information, see z/OS Security Server RACF System Programmer's Guide.

For information about the effect of certain RACF commands on VLF, see RACF commands for flushing a VLF cache.

For more information on VLF, see:
Parent topic: z/OS UNIX performance considerations

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014