how to improve racf performance (v0.2 - 2016)
TRANSCRIPT
Deliveringthebestinzservices,software,hardwareandtraining.Deliveringthebestinzservices,software,hardwareandtraining.
WorldClasszSpecialists
HowtoimproveRACFperformance
RuiMiguelFeio– SeniorTechnicalLead
Agenda
ConclusionSummary of what was discussed and key points to remember
QuestionsAsk away any questions that you may have!
Things to ConsiderOther things that you may consider when improving RACF performance and security
Improve PerformanceTechnical description of ways
to improve performance in RACF
PerformanceWhat is performance and
areas that can help to improve performance in
RACF
ABOUT MEBrief description
about the presenter
WhoAmI?
RUI MIGUEL FEIO
• WorkingwithRSMsince2010• Working withmainframesforthepast17years• StartedwithIBMasanMVSSysProgrammer• Specialises inmainframesecurity• Experienceinotherplatforms
Key facts:
SENIOR TECHNICAL LEAD
RACFPerformance• RACFDBallocation• #RACFDBs• RACFExits
• SETROPTS• GlobalAccessTable• RACLIST
• RACFDBMaintenance• Processes• Procedures
RACF
GlobalAccessTable(GAT)Improve performance:• Include“public”resources• Reducednumberofentriestominimise timespent
checkingtheGAT• DeactivateGATcheckinginnoGATentriesfora
specificclass
Bear in mind:• AccessgrantedviatheGATisn’tlogged• AnentryintheGATsupersedesanycorresponding
RACFresourceprofiles• DefineequivalentprofilesinRACFclassesincaseGAT
becomesunavailable
RACLISTImprove performance:• RACLISTeveryRACFclassyoucan• AlternativelyuseRACGLISTandGENLIST:
• WithGENLIST,RACFinformationiscopiedintorealstorage(ECSA)
• GENLISTworksbestwithfrequentlyaccessedprofiles• RACGLISTreducesIPLtimeinadatasharingenvironment
Bear in mind:• RACLISTcopiesRACFinformationintovirtualspace• Don’trefreshin-storagedatatoooften• RACLISTandGENLISTcan’tbeusedtogether• InmostsitesuseofRACLISTissufficient
SETROPTS
• Applies to discrete non-RACLISTed profiles• Produces statistics of little value• Disable this by issuing SETROPTS NOSTATISTICS(*)
STATISTICS(class_name)
• Don’t audit frequent, unimportant events• Don’t use AUDIT(SUCCESS) on APPL profiles• Use dataset profiles’ AUDIT option instead of AUDIT(DATASET)• Don’t use LOGOPTIONS(ALWAYS) for frequently used RACF
classes
AUDIT(class_name) & LOGOPTIONS(option)
SETROPTS
• Avoid using ERASE(ALL)• With modern DASD, DASD does the work and no CPU or I/O is
involved which means the impact is minimum but…• Check this option with your Storage team
ERASE(option)
• To avoid producing excessive SMF records that may affect system performance, some sites opt for NOOPERAUDIT
• If using System or Group wide OPERATIONS then OPERAUDIT should be enabled
• Replace OPERATIONS by equivalent Storage Administration
OPERAUDIT
System
• VirtualLookasideFacility• RACFmaybenefitfromcaching• Cachedentitiescaninclude:
• Logoncredentials(ACEE)• GroupTreeinstorage• UserSecurityPackets(USP)
andUID/GIDmapping• SpeakwiththeSysProgs team
VLF
DataBlocks
z/OS
System
• Enqueue ResidenceValue• IncreaseERVinIEAOPTxx• GrantsmoreCPUtoanyprocess
withanenqueue onRACF• Thedefaultvalueis500• Recommendedvalueisinthe
rangeof40,000to50,000• Thiswilloptimise performanceto
anyenqueues tosystemresources
• SpeakwithSysProgs team
ERV
DataBlocks
z/OS
System
• CoupleFacility• RACFDBssharedinaSysplex can
benefitfromCFcaching• Indexanddatablockswillbe
storedintheCF• CanuseCFevenforastand-alone
non-sysplex system• EnsureCFcacheislargeenough
toholdallnon-RACLISTed profiles• SpeakwithSysProgs team
CF
DataBlocks
z/OS
System
• GlobalResourceSerialisation• Appliesfor2ormorenon-sysplex
systemssharingaRACFDBinwithnoCoupleFacility(CF)
• GRScanconvertRESERVEstoglobalENQs
• Eachsystemisgivenexclusivecontrolforoneupdaterequestatatime:
• LockisonlyfortheRACFDB• LockisnotfortheDASDvol.
• SolvesthecontentionproblemscausedbytheexclusiveRESERVEs
GRS
DataBlocks
z/OS
System
• ResidentIndexBlocks(RID)• AlwaystryusingthemaxRIDs
(255)• RIDsaresearchedveryfastand
reduceI/OtotheRACFDB• MustbeusingtheRACFDBname
table(ICHRDSNT)• Ifyoudon’tuseRIDand
ICHRDSNTyourRACFhasaverypoorperformance
DataBlocks
DataBlocks
z/OS
System
• ARACFDBhasasinglesetofin-storageresidentdatablockbuffers
• SplittheRACFDBforhighlyactiveRACFDBs
• Splitintoupto99RACFDBdatasetpairs(Primary/Backup)
• RequiresSysplex wideIPLforchangetotheICHRRNGtableimplementation
• ICHRRNGisusedtospecifyhowprofilesaredistributedacrossthevariousRACFDBdatasets
RACFDB
DataBlocks
z/OS
System
• HighsystemusageandpeaklogonperiodsmaycauseI/Oimpact
• AllocateRACFDBsontheirownDASDvolumeswithnootherhighusagedatasetsonthem
• SpeakwithStorageteam
DASD
DataBlocks
z/OS
System
• Reduceupdatestolastaccessdate
• Everytimeauserlogsontothesystem,RACFupdatesthe“last-access”dateandtime
• Thisinfoisusedtoenforcepasswordchangefrequenciesandperformautomaticrevokes
• OccurswhenanapplicationpassesitsAPPLIDtoRACF
• RACFonlyneedstoknowthemostrecentdate
• APPLDATAfieldneedstohaveRACF-INITSTATS(DAILY)intheAPPLclassprofile
AccessDate
DataBlocks
z/OS
System
• PoorlydesignedRACFEXITScandegradeperformance
• Manyaccesschecksmightbeexpectedtofailbeforetheauthorityisdetermined.
• Preferablydonotauditthesefailures
• MakesuretheRACFEXITSdealwiththeseeventswithoutimpactingperformance
EXITS
DataBlocks
z/OS
RACFSecurityteamToolsUse tools that will help with the security role (e.g IBM zSecure, Vanguard)
CollaborateCollaborate with other mainframe teams. Consider sharing ideas with teams of other companies
EducationKeep up-to-date with what’s happening in the mainframe realm
RACF DBMaintain RACF DB; remove redundant profiles, userids, groups and Classes.
Group TreeReview and remediate RACF group tree structure (e.g. RBAC)
ProcessesImplement adequate security processes and procedures
RACF Team
OtherthingstoconsiderImproveSecurity
• Performregular:• Security audits• Security penetrationtest• Vulnerability scannings
• Consider:• Subsystems(DB2,CICS,…)• ISVproducts• Internalapplications
InConclusion…Strategy
Define a strategy with the other teams on how to improve the systems, processes and
procedures
Measures & TargetsTo evaluate performance
improvement you need to be able to measure and compare.
Performance AnalysisPerformance team needs to get
involved to help with the performance improvement
AssessmentOptimising RACF is not only a systems
task; it is also a team effort. Assess who needs to be involved and what will need
changing.
ObjectivesThe objective of improving performance needs to be take in consideration other aspects such as cost, effort, etc.
Strategic InitiativesIn a world evermore dependent on the technology, performance and security must go hand-in-hand.
Strategy MapOnce a strategy is defined, a ”map” must be made available to all parts to allow full implementation.
Evaluation Evaluate the impact of changes in terms of performance and security and remediate accordingly if required.
RuiMiguelFeio,[email protected]
mobile:+44(0)7570911459
linkedin: www.linkedin.com/in/rfeio
www.rsmpartners.com
Contact