z/OS Version 1 Release 8 RACF Implementation

z/OS Version 1 Release 8 RACF Implementation

by Paul Rogers, Rogerio E. M. Camargo, Gillian Gainsford, Rita Pleus
Released February 2007
Publisher(s): IBM Redbooks
ISBN: None

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

This IBM Redbooks publication describes the implementation of RACF® in z/OS® Version 1 Release 8. This release continues to deliver industry leadership for security. Improvements have been introduced to further enhance the security-rich environment z/OS users rely on. These enhancements include:

- RACF support for virtual key rings to treat the collection of all the certificates owned by one user ID, including the SITE and CERTAUTH reserved user IDs, as an independent key ring. The use of the CERTAUTH virtual key ring will help to eliminate the need to manually create multiple real key rings for SSL-enabled z/OS client applications such as FTP.

- RACF template extensions allow templates to expand beyond their current 4K size.

- RACF supports the use of passwords longer than eight characters, now called password phrases.

- The RACF access control module exit, DSNXRXAC, has changed substantially with DB2® version 9. A RACF administrators can now define a security rule before an object is created and preserve the rule for a dropped object. In addition, RACF general resources for member and group profiles can be used by an installation to protect multiple DB2 resources with a single RACF profile.

- A new parameter on the IRRUT200 utility tells the utility to activate the backup data set printed to as output. This is accomplished by the utility internally issuing an RVARY ACTIVE for the backup data set after the copy is complete. IRRUT200 and IRRUT400 utilities now check whether their output data sets are active primary or backup RACF data sets on this system.
New RACF health checks are introduced.

- RACF in z/OS V1R8 provides a solution to some functional gaps in the way that change logging of RACF profile updates were reflected in z/OS LDAP, and an enhancement is made to LISTUSER to demonstrate whether password enveloping is enabled for a user.

In addition to describing the new features, this book includes detailed steps for implementing these enhancements. It explains how to configure them for your installation and how to use them to increase the security of your environment.

Table of contents

  1. Notices
    1. Trademarks
  2. Preface
    1. The team that wrote this redbook
    2. Become a published author
    3. Comments welcome
  3. Chapter 1: RACF Version 1 Release 8
    1. Overview of RACF enhancements
    2. Password phrase support
    3. New RACF health checks
    4. Enhancements with IRRUT200 and IRRUT400
    5. LDAP change log
    6. Digital certificate support enhancements
    7. SAF identity token
    8. z/OS DB2 Version 8 support
    9. Remote authorization and auditing
    10. IRRSDA00 enhancements
  4. Chapter 2: Password phrase
    1. Password phrase benefits
      1. Password phrase concepts
    2. Password phrase and password
    3. How the password phrase works
      1. Password phrase rules
      2. New password phrase ICHPWX11 exit
      3. Password phrase change interval
    4. RACF commands and password phrase
    5. RACF remote sharing facility (RRSF)
      1. Password phrase synchronization via PWSYNC
    6. Password phrase and SETROPTS PASSWORD options
    7. Password phrase auditing
    8. Protected user IDs and password phrase
    9. Providing the ability to reset password phrases
    10. RACF utilities changes
      1. RACF SMF data unload utility (IRRADU00)
      2. RACF data security monitor (DSMON)
      3. RACF database unload utility program (IRRDBU00)
    11. New and changed RACF messages
  5. Chapter 3: Availability improvements for IRRUT200 and IRRUT400
    1. Synchronized copy with IRRUT200
      1. Pre-z/OS V1R8 implementation
      2. Synchronized copy solution
      3. Interaction, dependencies, and migration considerations
    2. Safety features for IRRUT200 and IRRUT400
      1. Safety features with z/OS V1R8
      2. Safety feature implementation examples
      3. Interaction, dependencies, and migrations considerations
    3. Publication updates
      1. Publications
      2. Changed IRRUT200 messages
      3. New IRRUT200 messages
      4. New and changed IRRUT400 messages
  6. Chapter 4: RACF and the DB2 access control module
    1. Previous DB2 versions
      1. Security implementation
      2. Expanding RACF protection to DB2 objects
    2. The RACF access control module - DSNXRXAC
      1. Modifying the RACF access control module
      2. Activating the RACF access control module
      3. Restarting DB2 with the RACF access control module
    3. Protecting DB2 objects with RACF profiles
      1. DB2 object privileges
      2. Mapping DB2 authorization checks
      3. Preventing cascading revoke
    4. Authorization checking
    5. Auditing considerations
      1. Debugging considerations
    6. Multilevel security
      1. DB2 and multilevel security
      2. Multilevel security with row-level granularity
  7. Chapter 5: RACF virtual key ring support
    1. RACF and key rings
      1. Secure Sockets Layer
      2. R_datalib (IRRSDL00) callable services
      3. What is a virtual key ring
      4. Problems before z/OS V1R8
      5. RACF virtual key ring benefits
      6. How to use a virtual key ring
      7. Virtual key ring usage and invocation
      8. Virtual key ring implementation
      9. Real key ring and virtual key ring
    2. Related publications
  8. Chapter 6: PKI Services
    1. Introduction to PKI
    2. Overview of PKI Services
      1. Basic components of PKI Services and related products
    3. PKI Services multiple CAs overview
      1. z/OS V1R8 enhancements
      2. Loosely coupled CA examples
      3. Setup for PKI Services
    4. PKI Services support for SCEP
      1. PKI Services SCEP overview
      2. PKI Services usage considerations
      3. Using PKI Services utilities
      4. Preregistration rules
  9. Chapter 7: RACF health checks
    1. IBM Health Checker for z/OS
      1. Health checker overview
      2. Flow of IBM Health Checker for z/OS
      3. Security of IBM Health Checker for z/OS
      4. User interface to manage checks
      5. Using SDSF panels
      6. Using (E)JES panels
      7. Health Checker for z/OS commands via MODIFY command
      8. HZSPRMxx parmlib member and policies
      9. Policy statements
      10. Categories to manage and display information
      11. Criteria for the checks
    2. Common features of all RACF checks
    3. New RACF checks
      1. Check RACF__ACTIVE
      2. Check RACF_IBMUSER_REVOKED
    4. Enhanced RACF checks
      1. Check RACF_GRS_RNL
      2. Check RACF_SENSITIVE_RESOURCES (1/2)
      3. Check RACF_SENSITIVE_RESOURCES (2/2)
  10. Chapter 8: LDAP change logging
    1. LDAP overview
    2. Change log processing prior to z/OS V1R8
    3. Change log processing enhancements in z/OS V1R8
    4. Activating LDAP change notification
    5. Password enveloping enhancements
    6. Change logging of password changes
  11. Chapter 9: Template and profile extensions
    1. RACF database template extensions
      1. Applications that read the RACF database directly
      2. Migration considerations
    2. Enhancements made to RACF profiles
      1. Allowing or disallowing generics in static classes
      2. Allowing or disallowing generics in dynamic classes
      3. New messages with z/OS V1R8
      4. Migration and coexistence considerations
    3. IRRDPI00 LIST command granularity
    4. KERBLINK class enhancement
      1. Migration considerations for KERBLINK class
    5. OMVS FILEPROCMAX change
  12. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. How to get IBM Redbooks
    5. Help from IBM
  13. Index (1/2)
  14. Index (2/2)
  15. Back cover

Product information

  • Title: z/OS Version 1 Release 8 RACF Implementation
  • Author(s): Paul Rogers, Rogerio E. M. Camargo, Gillian Gainsford, Rita Pleus
  • Release date: February 2007
  • Publisher(s): IBM Redbooks
  • ISBN: None