Deliveringthebestinzservices,software,hardwareandtraining.Deliveringthebestinzservices,software,hardwareandtraining.

WorldClasszSpecialists

HowtoimproveRACFperformance

RuiMiguelFeio– SeniorTechnicalLead

Agenda

ConclusionSummary of what was discussed and key points to remember

QuestionsAsk away any questions that you may have!

Things to ConsiderOther things that you may consider when improving RACF performance and security

Improve PerformanceTechnical description of ways

to improve performance in RACF

PerformanceWhat is performance and

areas that can help to improve performance in

RACF

ABOUT MEBrief description

about the presenter

WhoAmI?

RUI MIGUEL FEIO

• WorkingwithRSMsince2010• Working withmainframesforthepast17years• StartedwithIBMasanMVSSysProgrammer• Specialises inmainframesecurity• Experienceinotherplatforms

Key facts:

SENIOR TECHNICAL LEAD

Performance

Performance - howwellaperson,machine,etc.doesapieceofworkoranactivity.

RACFPerformance• RACFDBallocation• #RACFDBs• RACFExits

• SETROPTS• GlobalAccessTable• RACLIST

• RACFDBMaintenance• Processes• Procedures

RACF

RACFSubsystem

GlobalAccessTable(GAT)Improve performance:• Include“public”resources• Reducednumberofentriestominimise timespent

checkingtheGAT• DeactivateGATcheckinginnoGATentriesfora

specificclass

Bear in mind:• AccessgrantedviatheGATisn’tlogged• AnentryintheGATsupersedesanycorresponding

RACFresourceprofiles• DefineequivalentprofilesinRACFclassesincaseGAT

becomesunavailable

RACLISTImprove performance:• RACLISTeveryRACFclassyoucan• AlternativelyuseRACGLISTandGENLIST:

• WithGENLIST,RACFinformationiscopiedintorealstorage(ECSA)

• GENLISTworksbestwithfrequentlyaccessedprofiles• RACGLISTreducesIPLtimeinadatasharingenvironment

Bear in mind:• RACLISTcopiesRACFinformationintovirtualspace• Don’trefreshin-storagedatatoooften• RACLISTandGENLISTcan’tbeusedtogether• InmostsitesuseofRACLISTissufficient

SETROPTS

• Applies to discrete non-RACLISTed profiles• Produces statistics of little value• Disable this by issuing SETROPTS NOSTATISTICS(*)

STATISTICS(class_name)

• Don’t audit frequent, unimportant events• Don’t use AUDIT(SUCCESS) on APPL profiles• Use dataset profiles’ AUDIT option instead of AUDIT(DATASET)• Don’t use LOGOPTIONS(ALWAYS) for frequently used RACF

classes

AUDIT(class_name) & LOGOPTIONS(option)

SETROPTS

• Avoid using ERASE(ALL)• With modern DASD, DASD does the work and no CPU or I/O is

involved which means the impact is minimum but…• Check this option with your Storage team

ERASE(option)

• To avoid producing excessive SMF records that may affect system performance, some sites opt for NOOPERAUDIT

• If using System or Group wide OPERATIONS then OPERAUDIT should be enabled

• Replace OPERATIONS by equivalent Storage Administration

OPERAUDIT

System

System

DataBlocks

z/OS

System

• VirtualLookasideFacility• RACFmaybenefitfromcaching• Cachedentitiescaninclude:

• Logoncredentials(ACEE)• GroupTreeinstorage• UserSecurityPackets(USP)

andUID/GIDmapping• SpeakwiththeSysProgs team

VLF

DataBlocks

z/OS

System

• Enqueue ResidenceValue• IncreaseERVinIEAOPTxx• GrantsmoreCPUtoanyprocess

withanenqueue onRACF• Thedefaultvalueis500• Recommendedvalueisinthe

rangeof40,000to50,000• Thiswilloptimise performanceto

anyenqueues tosystemresources

• SpeakwithSysProgs team

ERV

DataBlocks

z/OS

System

• CoupleFacility• RACFDBssharedinaSysplex can

benefitfromCFcaching• Indexanddatablockswillbe

storedintheCF• CanuseCFevenforastand-alone

non-sysplex system• EnsureCFcacheislargeenough

toholdallnon-RACLISTed profiles• SpeakwithSysProgs team

CF

DataBlocks

z/OS

System

• GlobalResourceSerialisation• Appliesfor2ormorenon-sysplex

systemssharingaRACFDBinwithnoCoupleFacility(CF)

• GRScanconvertRESERVEstoglobalENQs

• Eachsystemisgivenexclusivecontrolforoneupdaterequestatatime:

• LockisonlyfortheRACFDB• LockisnotfortheDASDvol.

• SolvesthecontentionproblemscausedbytheexclusiveRESERVEs

GRS

DataBlocks

z/OS

System

• ResidentIndexBlocks(RID)• AlwaystryusingthemaxRIDs

(255)• RIDsaresearchedveryfastand

reduceI/OtotheRACFDB• MustbeusingtheRACFDBname

table(ICHRDSNT)• Ifyoudon’tuseRIDand

ICHRDSNTyourRACFhasaverypoorperformance

DataBlocks

DataBlocks

z/OS

System

• ARACFDBhasasinglesetofin-storageresidentdatablockbuffers

• SplittheRACFDBforhighlyactiveRACFDBs

• Splitintoupto99RACFDBdatasetpairs(Primary/Backup)

• RequiresSysplex wideIPLforchangetotheICHRRNGtableimplementation

• ICHRRNGisusedtospecifyhowprofilesaredistributedacrossthevariousRACFDBdatasets

RACFDB

DataBlocks

z/OS

System

• HighsystemusageandpeaklogonperiodsmaycauseI/Oimpact

• AllocateRACFDBsontheirownDASDvolumeswithnootherhighusagedatasetsonthem

• SpeakwithStorageteam

DASD

DataBlocks

z/OS

System

• Reduceupdatestolastaccessdate

• Everytimeauserlogsontothesystem,RACFupdatesthe“last-access”dateandtime

• Thisinfoisusedtoenforcepasswordchangefrequenciesandperformautomaticrevokes

• OccurswhenanapplicationpassesitsAPPLIDtoRACF

• RACFonlyneedstoknowthemostrecentdate

• APPLDATAfieldneedstohaveRACF-INITSTATS(DAILY)intheAPPLclassprofile

AccessDate

DataBlocks

z/OS

System

• PoorlydesignedRACFEXITScandegradeperformance

• Manyaccesschecksmightbeexpectedtofailbeforetheauthorityisdetermined.

• Preferablydonotauditthesefailures

• MakesuretheRACFEXITSdealwiththeseeventswithoutimpactingperformance

EXITS

DataBlocks

z/OS

RACFSecurityTeam

RACFSecurityteamToolsUse tools that will help with the security role (e.g IBM zSecure, Vanguard)

CollaborateCollaborate with other mainframe teams. Consider sharing ideas with teams of other companies

EducationKeep up-to-date with what’s happening in the mainframe realm

RACF DBMaintain RACF DB; remove redundant profiles, userids, groups and Classes.

Group TreeReview and remediate RACF group tree structure (e.g. RBAC)

ProcessesImplement adequate security processes and procedures

RACF Team

Otherthingstoconsider

OtherthingstoconsiderImproveSecurity

• Performregular:• Security audits• Security penetrationtest• Vulnerability scannings

• Consider:• Subsystems(DB2,CICS,…)• ISVproducts• Internalapplications

Conclusion

InConclusion…Strategy

Define a strategy with the other teams on how to improve the systems, processes and

procedures

Measures & TargetsTo evaluate performance

improvement you need to be able to measure and compare.

Performance AnalysisPerformance team needs to get

involved to help with the performance improvement

AssessmentOptimising RACF is not only a systems

task; it is also a team effort. Assess who needs to be involved and what will need

changing.

ObjectivesThe objective of improving performance needs to be take in consideration other aspects such as cost, effort, etc.

Strategic InitiativesIn a world evermore dependent on the technology, performance and security must go hand-in-hand.

Strategy MapOnce a strategy is defined, a ”map” must be made available to all parts to allow full implementation.

Evaluation Evaluate the impact of changes in terms of performance and security and remediate accordingly if required.

Questions

RuiMiguelFeio,RSMPartnersruif@rsmpartners.com

mobile:+44(0)7570911459

linkedin: www.linkedin.com/in/rfeio

www.rsmpartners.com

Contact