z/OSVersion 2 Release 3

Security Server RACFSecurity Administrator's Guide

IBM

SA23-2289-30

Note

Before using this information and the product it supports, read the information in “Notices” on page717.

This edition applies to Version 2 Release 3 of z/OS (5650-ZOS) and to all subsequent releases and modifications untilotherwise indicated in new editions.

Last updated: 2019-02-25© Copyright International Business Machines Corporation 1994, 2018.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Contents

List of Figures..................................................................................................... xixList of Tables.......................................................................................................xxi

About this document......................................................................................... xxiiiWho should use this document............................................................................................................... xxiiiHow to use this document.......................................................................................................................xxiiiWhere to find more information.............................................................................................................. xxiii

RACF courses..................................................................................................................................... xxivOther sources of information...................................................................................................................xxiv

Internet sources.................................................................................................................................xxivHow to send your comments to IBM.................................................................... xxv

If you have a technical problem............................................................................................................... xxvSummary of changes......................................................................................... xxvi

Summary of changes for z/OS Version 2 Release 3 (V2R3)................................................................... xxviSummary of changes for z/OS Version 2 Release 2 (V2R2) as updated March 2017.......................... xxviiSummary of changes for z/OS Version 2 Release 2 (V2R2) as updated June 2016.............................xxviiSummary of changes made in z/OS Version 2 Release 2..................................................................... xxviiiz/OS Version 2 Release 1 summary of changes...................................................................................... xxx

Chapter 1. Introduction......................................................................................... 1How RACF meets security needs.................................................................................................................1

User identification and verification........................................................................................................ 1Authorization checking...........................................................................................................................2Logging and reporting.............................................................................................................................2User accountability.................................................................................................................................3Flexibility.................................................................................................................................................7RACF transparency................................................................................................................................. 7Implementing multilevel security.......................................................................................................... 7

Multilevel security........................................................................................................................................ 8Characteristics of a multilevel-secure environment..............................................................................8

Administering security................................................................................................................................. 9Delegating administration tasks............................................................................................................ 9Administering security when a z/VM system shares the RACF database...........................................10Using RACF commands or panels........................................................................................................ 10

RACF group and user structure................................................................................................................. 12Defining users and groups....................................................................................................................12Protecting resources............................................................................................................................ 17Security classification of users and data............................................................................................. 20Selecting RACF options........................................................................................................................ 20

Using RACF installation exits to customize RACF..................................................................................... 20The RACROUTE REQUEST=VERIFY, VERIFYX, AUTH, and DEFINE exits........................................... 20The RACROUTE REQUEST=LIST exits................................................................................................. 21The RACROUTE REQUEST=FASTAUTH exits....................................................................................... 21The RACF command exits.................................................................................................................... 21The RACF password processing exits.................................................................................................. 21The RACF password authentication exits............................................................................................ 21

Tools for the security administrator.......................................................................................................... 22Using RACF utilities.............................................................................................................................. 22RACF block update command (BLKUPD).............................................................................................24Using the RACF report writer............................................................................................................... 24

iii

Using the data security monitor...........................................................................................................24Recording statistics in RACF profiles................................................................................................... 24Listing information from RACF profiles................................................................................................25Searching for RACF profile names....................................................................................................... 27Using the LIST and SEARCH commands effectively............................................................................28

Chapter 2. Organizing for RACF implementation................................................... 31Ensuring management commitment.........................................................................................................31Selecting the security implementation team............................................................................................31

Responsibilities of the implementation team..................................................................................... 32Defining security objectives and preparing the implementation plan..................................................... 32Deciding what to protect........................................................................................................................... 33

Protecting existing data........................................................................................................................33Protecting new data............................................................................................................................. 34Allowing a warning period....................................................................................................................35

Establishing ownership structures............................................................................................................ 36Selecting user IDs and group names................................................................................................... 36Establishing your RACF group structure..............................................................................................37

Educating the system users.......................................................................................................................39Summary.................................................................................................................................................... 40

Chapter 3. Defining users.....................................................................................43User profiles...............................................................................................................................................43

The base segment in user profiles.......................................................................................................45The CICS segment in user profiles.......................................................................................................46The CSDATA segment in user profiles..................................................................................................47The DCE segment in user profiles........................................................................................................47The DFP segment in user profiles........................................................................................................ 47The KERB segment in user profiles......................................................................................................48The LANGUAGE segment in user profiles............................................................................................48The LNOTES segment in user profiles................................................................................................. 49The NDS segment in user profiles........................................................................................................49The NETVIEW segment in user profiles...............................................................................................49The OMVS segment in user profiles.....................................................................................................49The OPERPARM segment in user profiles............................................................................................50The OVM segment in user profiles....................................................................................................... 51The PROXY segment in user profiles................................................................................................... 52The TSO segment in user profiles........................................................................................................ 52The WORKATTR segment in user profiles........................................................................................... 53

User naming conventions.......................................................................................................................... 54Suggestions for defining user IDs..............................................................................................................54

Migrating existing user IDs to RACF.....................................................................................................55Creating new user IDs from scratch.................................................................................................... 55Creating user IDs for system operators...............................................................................................55Creating user IDs for RRSF users.........................................................................................................55

Ownership of a RACF user profile..............................................................................................................55User attributes........................................................................................................................................... 55

The SPECIAL attribute..........................................................................................................................56The AUDITOR attribute........................................................................................................................ 56The ROAUDIT attribute........................................................................................................................ 57The OPERATIONS attribute..................................................................................................................57The CLAUTH (class authority) attribute...............................................................................................59The REVOKE attribute.......................................................................................................................... 59The GRPACC (group access) attribute................................................................................................. 60The ADSP (automatic data set protection) attribute...........................................................................60The RESTRICTED attribute...................................................................................................................61

User attributes at the group level..............................................................................................................61

iv

The scope of authority for the users with group-level attributes....................................................... 61Suggestions for assigning user attributes................................................................................................. 65Verifying user attributes............................................................................................................................ 66Default universal access authority (UACC)................................................................................................66Assigning security categories, levels, and labels to users........................................................................66Passwords and password phrases............................................................................................................ 67Assigning password phrases..................................................................................................................... 68Multi-Factor Authentication for z/OS........................................................................................................ 69

What is Multi-Factor Authentication?.................................................................................................. 69IBM MFA on z/OS..................................................................................................................................70Configuring RACF for IBM MFA............................................................................................................ 70MFA application bypass....................................................................................................................... 71MFA policy............................................................................................................................................ 71MFA compound In-Band...................................................................................................................... 71

Limiting when a user can access the system............................................................................................ 72Time-of-day and day-of-week checking for users and terminals.......................................................72

Defining protected user IDs.......................................................................................................................73Restrictions for using protected user IDs with z/VM systems............................................................ 73

Defining restricted user IDs.......................................................................................................................73Using restricted user IDs for digital certificate users..........................................................................74Using restricted user IDs for distributed identity users...................................................................... 74Using restricted user IDs with a shared z/VM system.........................................................................74

Summary of steps for defining users.........................................................................................................74Summary of steps for deleting users........................................................................................................ 76General considerations for user ID delegation......................................................................................... 78

Chapter 4. Defining groups...................................................................................81Types of groups..........................................................................................................................................81

Administrative groups.......................................................................................................................... 81Holding groups..................................................................................................................................... 81Data control groups..............................................................................................................................81Functional groups.................................................................................................................................82User groups.......................................................................................................................................... 82

Group profiles............................................................................................................................................ 82The Base segment in group profiles.................................................................................................... 82The CSDATA segment in group profiles............................................................................................... 83The DFP segment in group profiles......................................................................................................83The OMVS segment in group profiles...................................................................................................83The OVM segment in group profiles.....................................................................................................84The TME segment in group profiles..................................................................................................... 84Defining large groups with the UNIVERSAL attribute..........................................................................84Group naming conventions.................................................................................................................. 85Benefits of using RACF groups.............................................................................................................85Group ownership and levels of group authority.................................................................................. 86

Summary of steps for defining a RACF group........................................................................................... 89Summary of steps for deleting groups...................................................................................................... 90

Chapter 5. Classifying users and data...................................................................93Security classification of users and data...................................................................................................93

Effect on RACF authorization checking................................................................................................93Understanding security levels and security categories............................................................................ 94

CATEGORY and SECLEVEL information in profiles.............................................................................. 95Converting from LEVEL to SECLEVEL................................................................................................... 95Deleting UNKNOWN categories........................................................................................................... 95Maintaining categories in an RRSF environment.................................................................................95

Understanding security labels...................................................................................................................96Comparing security labels....................................................................................................................96

v

Considerations related to security labels............................................................................................ 97How users specify current security labels...........................................................................................98Listing security labels...........................................................................................................................98Finding out which security labels a user can use................................................................................ 99Searching by security labels................................................................................................................ 99Restricting security label changes....................................................................................................... 99Requiring security labels......................................................................................................................99Controlling the write-down privilege................................................................................................... 99Planning considerations for security labels...................................................................................... 100

Chapter 6. Specifying RACF options....................................................................103Using the SETROPTS command.............................................................................................................. 103SETROPTS options for initial setup......................................................................................................... 104

Allowing mixed-case passwords (PASSWORD option)..................................................................... 104Allowing special characters in passwords (PASSWORD option).......................................................105Establishing password syntax rules (PASSWORD option)................................................................ 106Setting the maximum and minimum change interval (PASSWORD option)..................................... 106Extending password and user ID processing (PASSWORD option).................................................. 107Revoking unused user IDs (INACTIVE option).................................................................................. 108Activating list-of-groups checking (GRPLIST option)....................................................................... 109Setting the RVARY passwords (RVARYPW option)............................................................................ 110Restricting the creation of general resource profiles (GENERICOWNER and

ENHANCEDGENERICOWNER options).........................................................................................110Activating general resource classes (CLASSACT option).................................................................. 112Activating generic profile checking and generic command processing........................................... 112Activating statistics collection (STATISTICS option).........................................................................113Activating global access checking (GLOBAL option).........................................................................116RACF-protecting all data sets (PROTECTALL option)........................................................................116Activating JES2 or JES3 RACF support............................................................................................. 117Preventing access to uncataloged data sets (CATDSNS option)...................................................... 118Activating enhanced generic naming for the DATASET class (EGN option)......................................118Controlling data set modeling (MODEL option).................................................................................119Bypassing automatic data set protection (NOADSP option).............................................................119Displaying and logging real data set names (REALDSN option)....................................................... 120Protecting data sets with single-qualifier names (PREFIX option).................................................. 120Activating tape data set protection (TAPEDSN option).....................................................................120Activating tape volume protection (TAPEVOL option).......................................................................120Establishing a security retention period for tape data sets (RETPD option).................................... 121Erasing scratched or released data (ERASE option)......................................................................... 122Establishing national language defaults (LANGUAGE option).......................................................... 122

SETROPTS options to activate in-storage profile processing.................................................................123SETROPTS GENLIST processing........................................................................................................ 123SETROPTS RACLIST processing........................................................................................................ 124

SETROPTS REFRESH option for special cases........................................................................................127Refreshing in-storage generic profile lists (GENERIC REFRESH option)..........................................127Refreshing global access checking lists (GLOBAL REFRESH option)............................................... 128Refreshing shared systems (REFRESH option)................................................................................. 128

SETROPTS options for special purposes................................................................................................ 128Protecting undefined terminals (TERMINAL option).........................................................................129Activating the security classification of users and data....................................................................129Establishing the maximum VTAM session interval (SESSIONINTERVAL option).............................129Activating program control (WHEN(PROGRAM) option)................................................................... 130

SETROPTS options related to security labels......................................................................................... 130Restricting changes to security labels (SECLABELCONTROL option)...............................................131Preventing changes to security labels (MLSTABLE option)...............................................................131Quiescing RACF activity (MLQUIET option)....................................................................................... 131Preventing the copying of data to a lower security label (SETROPTS MLS option)..........................132

vi

Activating compatibility mode for security labels (COMPATMODE option)......................................132Enforcing multilevel security (MLACTIVE option)............................................................................. 133Restricting access to z/OS UNIX files and directories (MLFSOBJ option)........................................134Restricting access to interprocess communication objects (MLIPCOBJ option)............................. 135Using name-hiding (MLNAMES option)............................................................................................. 135Activating security labels by system image (SECLBYSYSTEM option)............................................. 135

SETROPTS options for automatic control of access list authority..........................................................136Automatic addition of creator's user ID to access list...................................................................... 136Automatic omission of creator's user ID from access list................................................................ 136

Specifying the encryption method for user passwords.......................................................................... 137Using started procedures........................................................................................................................ 138

Assigning RACF user IDs to started procedures............................................................................... 138Authorizing access to resources........................................................................................................139Setting up the STARTED class............................................................................................................139Using the started procedures table (ICHRIN03)...............................................................................141Started procedure considerations..................................................................................................... 142

Chapter 7. Protecting data sets on DASD and tape.............................................. 145Protecting data sets.................................................................................................................................145

Rules for defining data set profiles....................................................................................................145Controlling the creation of new data sets..........................................................................................147Data set profile ownership.................................................................................................................148Data set profiles................................................................................................................................. 148Rules for generic data set profile names...........................................................................................149Automatic profile modeling for data sets.......................................................................................... 156Password-protected data sets...........................................................................................................158Protecting GDG data sets...................................................................................................................158Protecting data sets that have duplicate names...............................................................................159Disallowing duplicate names for data set profiles............................................................................ 160Using the PROTECT operand or SECMODEL for non-VSAM data sets.............................................. 160Protecting multivolume data sets with discrete profiles.................................................................. 160

Protecting DASD data sets...................................................................................................................... 161Access authorities for DASD data sets.............................................................................................. 161Erasing of scratched (deleted) DASD data sets.................................................................................163Comparison of password and RACF authorization requirements for VSAM.....................................163Protecting catalogs............................................................................................................................ 163Protecting DASD system data sets.................................................................................................... 163

DASD volume authority........................................................................................................................... 165DFSMSdss storage administration.......................................................................................................... 165Protecting data on tape........................................................................................................................... 166

Using DFSMSrmm with RACF.............................................................................................................166Choosing which tape-related options to use.....................................................................................167Protecting existing data on tape (SETROPTS TAPEDSN in effect).................................................... 168Protecting new data on tape..............................................................................................................169Security levels and security categories for tapes..............................................................................172Security labels for tapes.................................................................................................................... 172Tape volume profiles that contain a TVTOC...................................................................................... 172Predefining tape volume profiles for tape data sets......................................................................... 174RACF security retention period processing (TAPEDSN must be active)...........................................175Authorization requirements for tape data sets when both TAPEVOL and TAPEDSN are active...... 176Authorization requirements for tape data sets when TAPEVOL is inactive and TAPEDSN is active 177Authorization requirements for tape data sets when TAPEVOL is active and TAPEDSN is inactive 177JCL changes........................................................................................................................................177Installations with DFSMShsm............................................................................................................178IEC.TAPERING profile in the FACILITY class.....................................................................................178Password-protected tape data sets.................................................................................................. 178Using the PROTECT parameter for tape data set or tape volume protection...................................178

vii

Multivolume tape data sets............................................................................................................... 179RACF authorization of bypass label processing (BLP)...................................................................... 179Authorization requirements for labels...............................................................................................180Tape data set and tape volume protection with nonstandard labels (NSL)..................................... 180Tape data set and tape volume protection for nonlabeled (NL) tapes............................................. 180

Chapter 8. Protecting general resources............................................................. 181Defining profiles for general resources................................................................................................... 181

Summary of steps for defining general resource profiles................................................................. 181Choosing between discrete and generic profiles in general resource classes.................................184Disallowing generic profile names for general resources................................................................. 184Choosing among generic profiles, resource group profiles, and RACFVARS profiles...................... 184Rules for generic profile names......................................................................................................... 184Generic profile checking of general resources..................................................................................186Generic profile performance..............................................................................................................188Granting access authorities............................................................................................................... 188Conditional access lists for general resource profiles...................................................................... 189

Setting up the global access checking table...........................................................................................190How global access checking works................................................................................................... 191Candidates for global access checking..............................................................................................191Creating global access checking table entries.................................................................................. 191Stopping global access checking for a specific class........................................................................195Listing the global access checking table........................................................................................... 195Special considerations for global access checking...........................................................................195

Field-level access checking.....................................................................................................................196Planning for profiles in the FACILITY class.............................................................................................206

Delegating help desk functions......................................................................................................... 207Delegating authority to profiles in the FACILITY class..................................................................... 207

Creating resource group profiles.............................................................................................................208Adding a resource to a profile............................................................................................................209Deleting a resource from a profile..................................................................................................... 209Which profiles protect a particular resource?................................................................................... 209Resolving conflicts among grouping profiles.....................................................................................210Considerations for resource group profiles.......................................................................................211

Using RACF variables in profile names (RACFVARS class)..................................................................... 212Defining RACF variables.....................................................................................................................212Example of protecting several tape volumes using the RACFVARS class........................................ 213Using RACF variables......................................................................................................................... 213How RACF uses the RACFVARS member list.....................................................................................214Using RACFVARS with mixed-case classes....................................................................................... 216

Controlling VTAM LU 6.2 bind..................................................................................................................217Protecting applications............................................................................................................................219Protecting DFP-managed temporary data sets...................................................................................... 220Protecting file services provided by LFS/ESA......................................................................................... 220Protecting terminals................................................................................................................................ 221

Creating profiles in the TERMINAL and GTERMINL classes............................................................. 221Controlling the use of undefined terminals....................................................................................... 222Limiting specific groups of users to specific terminals..................................................................... 223Limiting the times that a terminal can be used.................................................................................223Using security labels to control terminals.........................................................................................223Using the TSO LOGON command with the RECONNECT operand....................................................224

Protecting consoles................................................................................................................................. 224Using security labels to control consoles..........................................................................................225

Using the secured signon function..........................................................................................................225The RACF PassTicket..........................................................................................................................226Activating the PTKTDATA class..........................................................................................................226Defining profiles in the PTKTDATA class............................................................................................226

viii

When the profile definitions are complete........................................................................................ 231How RACF processes the PassTicket.................................................................................................231Enabling the use of PassTickets.........................................................................................................233

Protecting the vector facility................................................................................................................... 234Controlling access to program dumps.................................................................................................... 235

Using RACF to control access to program dumps............................................................................. 235Using non-RACF methods to control access to program dumps......................................................237

Controlling the allocation of devices.......................................................................................................237Protecting LLA-managed data sets......................................................................................................... 239Controlling data lookaside facility (DLF) objects (Hiperbatch).............................................................. 240Using RACROUTE REQUEST=LIST,GLOBAL=YES support...................................................................... 242

The RACGLIST class...........................................................................................................................243Administering the use of operator commands....................................................................................... 244

Authorizing the use of operator commands...................................................................................... 244Command authorization in an MCS sysplex...................................................................................... 245Controlling the use of operator commands.......................................................................................245

Establishing security for the RACF parameter library............................................................................ 250Controlling message traffic..................................................................................................................... 250Controlling the opening of VTAM ACBs................................................................................................... 251RACF and PSF (Print Services Facility)....................................................................................................252Auditing when users receive message traffic......................................................................................... 253RACF and APPC........................................................................................................................................253

User verification during APPC transactions.......................................................................................253Protection of APPC/MVS transaction programs (TPs).......................................................................254LU security capabilities...................................................................................................................... 255Origin LU authorization.......................................................................................................................255Protection of APPC server IDs (APPCSERV)......................................................................................255

RACF and CICS.........................................................................................................................................255RACF and Db2..........................................................................................................................................256RACF and IMS.......................................................................................................................................... 256RACF and ICSF.........................................................................................................................................256RACF and z/OS UNIX............................................................................................................................... 256RACF support for NDS and Lotus Notes for z/OS....................................................................................256

Administering application user identities..........................................................................................257System considerations.......................................................................................................................257Authorizing applications to use identity mapping.............................................................................259Considerations for application user names.......................................................................................260

Storing encryption keys using the KEYSMSTR class...............................................................................260Steps for storing a key in a KEYSMSTR profile.................................................................................. 261

Defining delegated resources..................................................................................................................262Steps for authorizing daemons to use delegated resources............................................................ 262

Chapter 9. Administering the dynamic class descriptor table (CDT)..................... 265Overview of the class descriptor table....................................................................................................265

Restrictions for applications and vendor products........................................................................... 265Using the dynamic CDT............................................................................................................................266

Profiles in the CDT class.....................................................................................................................266Adding a dynamic class with a unique POSIT value............................................................................... 267

Steps for adding a dynamic class with a unique POSIT value.......................................................... 268Adding a dynamic class that shares a POSIT value................................................................................269

Processing options that are controlled by a shared POSIT value.....................................................269Rules about disallowing generics when sharing a POSIT value....................................................... 270Steps for adding a dynamic class with a shared POSIT value.......................................................... 270

Changing a POSIT value for a dynamic class.......................................................................................... 271Steps for changing a POSIT value of an existing dynamic class.......................................................271

Guidelines for changing dynamic CDT entries........................................................................................ 272Defining a dynamic class with generics disallowed................................................................................274

ix

Steps for changing a dynamic class to disallow generic profiles......................................................274Deleting a class from the dynamic CDT.................................................................................................. 275

Steps for deleting a dynamic CDT class............................................................................................ 275Disabling the dynamic CDT......................................................................................................................277Re-enabling a previously defined dynamic class....................................................................................278

Steps to re-enable a previously defined dynamic class....................................................................278Migrating to the dynamic CDT................................................................................................................. 278Sysplex considerations for the dynamic CDT..........................................................................................280Shared system considerations for the dynamic CDT..............................................................................281RRSF considerations for the dynamic CDT............................................................................................. 281

Chapter 10. Protecting programs........................................................................283Overview of protecting programs............................................................................................................283Program security modes..........................................................................................................................284

Simple program protection in BASIC or ENHANCED mode.............................................................. 285Program control by SMFID in BASIC or ENHANCED mode...............................................................287Maintaining a clean environment in BASIC or ENHANCED mode.....................................................288More complex controls: Using EXECUTE access for programs or libraries (BASIC mode)..............289Migrating from BASIC to ENHANCED program security mode......................................................... 290

Protecting program libraries....................................................................................................................291Program access to data sets (PADS) in BASIC mode........................................................................292Choosing between the PADCHK and NOPADCHK operands.............................................................296

Program access to SERVAUTH resources in BASIC or ENHANCED mode............................................. 296ENHANCED program security mode....................................................................................................... 297

Program access to data sets (PADS) in ENHANCED mode............................................................... 297Using EXECUTE access for programs and libraries in ENHANCED mode.........................................298When to use MAIN or BASIC..............................................................................................................298Defining programs as MAIN or BASIC............................................................................................... 299

How protection works for programs and PADS...................................................................................... 300How program control works...............................................................................................................300Informational messages for program control................................................................................... 301Authorization checking for access control to load modules............................................................. 301Authorization checking for access control to data sets.................................................................... 302

Processing for execute-controlled libraries............................................................................................303Examples of controlling programs and using PADS................................................................................304

Examples of defining load modules as controlled programs............................................................304Examples of setting up program access to data sets........................................................................305Example of setting up an execute-controlled library........................................................................306Example of setting up program control by system ID.......................................................................307

Chapter 11. Program signing and verification......................................................309Overview of program signing and verification.........................................................................................309

Terms to know....................................................................................................................................309Related information........................................................................................................................... 309Task roadmap for program signing and signature verification..........................................................309

Enabling a user to sign a program...........................................................................................................310Overview of enabling a user to sign a program................................................................................. 310Steps for enabling a user to sign a program using RACF code-signing certificates......................... 312Steps for enabling a user to sign a program using external code-signing certificates.................... 314

Enabling RACF to verify signed programs...............................................................................................316Overview of enabling RACF to verify signed programs..................................................................... 316Steps for discovering if signed programs currently execute on your systems (optional)................ 320Steps for preparing RACF to verify signed programs (one-time setup)........................................... 321Steps for verifying a signed program................................................................................................. 323

Chapter 12. Operating considerations................................................................ 327Coordinating profile updates...................................................................................................................327

x

RACF commands for flushing a VLF cache........................................................................................ 328Getting started with RACF (after first installing RACF)...........................................................................328

Logging on as IBMUSER and checking initial conditions.................................................................. 329Defining administrator user IDs for your own use............................................................................ 330Defining at least one user ID to be used for emergencies only........................................................ 330Logging on as RACFADM, checking groups and users, and revoking IBMUSER...............................330Defining the groups needed for the first users..................................................................................330Defining a system-wide auditor......................................................................................................... 331Defining a system-wide read-only auditor........................................................................................ 331Defining users and groups................................................................................................................. 331Defining group administrators, group auditors, and data managers................................................331Protecting system data sets.............................................................................................................. 332Setting RACF options......................................................................................................................... 333

Using the data security monitor (DSMON).............................................................................................. 333JCL parameters related to RACF............................................................................................................. 336Restarting jobs.........................................................................................................................................337Bypassing password protection.............................................................................................................. 337Controlling access to RACF passwords...................................................................................................338Authorizing only RACF-defined users to access RACF-protected resources........................................ 338Using the TSO or ISPF editor...................................................................................................................339Service by IBM personnel........................................................................................................................339Failsoft processing...................................................................................................................................339

Failsoft processing with tape data sets............................................................................................. 340Considerations for RACF databases........................................................................................................340

Backup RACF database......................................................................................................................340Multiple data set support...................................................................................................................340Protecting the RACF database...........................................................................................................341Using RACF data sharing....................................................................................................................341Sharing data without sharing a RACF database................................................................................ 341Number of resident data blocks........................................................................................................ 342

Chapter 13. Working with the RACF database.....................................................343Using the RACF database unload utility (IRRDBU00)............................................................................ 343

Diagnosis............................................................................................................................................ 343Performance considerations..............................................................................................................343Operational considerations................................................................................................................344Running the database unload utility..................................................................................................345Allowable parameters........................................................................................................................346Using the database unload utility output effectively........................................................................ 347

Using the RACF remove ID (IRRRID00) utility........................................................................................363IRRRID00 job control statements..................................................................................................... 365IRRRID00 return codes......................................................................................................................367Finding residual IDs........................................................................................................................... 368Creating commands to remove IDs................................................................................................... 369Using IRRRID00 output..................................................................................................................... 370Processing profiles and resources.....................................................................................................373What IRRRID00 verifies.....................................................................................................................373Database objects that are not processed..........................................................................................374Processing a hierarchy of groups.......................................................................................................375Processing global profiles.................................................................................................................. 375Processing general resource profiles................................................................................................ 375Processing MEMBER data.................................................................................................................. 375Processing universal groups.............................................................................................................. 375IRRRID00 and Tivoli...........................................................................................................................375Time required to run IRRRID00.........................................................................................................376

Chapter 14. The RACF remote sharing facility (RRSF)..........................................377

xi

The RRSF network................................................................................................................................... 377RRSF nodes........................................................................................................................................ 378

Establishing user ID associations in the RRSF network......................................................................... 379Types of user ID associations............................................................................................................ 379Password synchronization................................................................................................................. 380

User ID associations................................................................................................................................381Defining user ID associations............................................................................................................ 381Approving user ID associations......................................................................................................... 382Deleting user ID associations............................................................................................................ 382Listing user ID associations............................................................................................................... 383

Command direction................................................................................................................................. 383Commands that are not eligible for command direction.................................................................. 384Directing commands using the AT option..........................................................................................384Directing commands using the ONLYAT option................................................................................. 386Order considerations for directed commands and application updates..........................................387Directing commands to incompatible systems................................................................................. 387

Automatic direction................................................................................................................................. 388Preparing to use automatic direction................................................................................................ 389Output processing..............................................................................................................................391Interactions among automatic direction functions and password synchronization........................396Using automatic direction of commands...........................................................................................397Using automatic direction of application updates............................................................................ 400Using automatic password direction................................................................................................. 403Synchronizing database profiles........................................................................................................405

Controlling the use of remote sharing functions.................................................................................... 405Controlling access to the RACLINK command.................................................................................. 405Controlling password synchronization.............................................................................................. 406Controlling the use of the AT operand............................................................................................... 407Controlling the use of the ONLYAT operand...................................................................................... 407Controlling automatic direction......................................................................................................... 407

Establishing RACF security for RRSF TCP/IP connections..................................................................... 412Task roadmap for establishing RACF security for RRSF TCP/IP connections.................................. 412Administer profiles in the SERVAUTH class to enable RRSF to use TCP/IP node connections....... 413Implementing an RRSF trust policy...................................................................................................414

Chapter 15. Providing security for JES................................................................423Planning for security................................................................................................................................423How JES and RACF work together.......................................................................................................... 423Defining JES as a RACF started procedure............................................................................................. 424Forcing batch users to identify themselves to RACF.............................................................................. 424Support for execution batch monitor (XBM) (JES2 Only)....................................................................... 424Defining and grouping operators.............................................................................................................425JES user ID early verification.................................................................................................................. 425User ID propagation when jobs are submitted.......................................................................................425

Allowing surrogate job submission....................................................................................................426Controlling user ID propagation in a local environment................................................................... 427

Using protected user IDs for batch jobs................................................................................................. 428Propagating protected user IDs.........................................................................................................428Using protected user IDs for surrogate job submission................................................................... 428

Where NJE jobs are verified.................................................................................................................... 428How SYSOUT requests are verified......................................................................................................... 429Security labels for JES resources............................................................................................................430Controlling access to data sets JES uses................................................................................................430Controlling input to your system............................................................................................................. 430

How RACF validates users................................................................................................................. 430Controlling the use of job names....................................................................................................... 431Authorizing the use of input sources................................................................................................. 437

xii

Authorizing network jobs and SYSOUT (NJE)......................................................................................... 438Authorizing inbound work..................................................................................................................438Authorizing outbound work............................................................................................................... 453

Controlling access to spool data............................................................................................................. 453Protecting data sets on spools.......................................................................................................... 453Defining profiles for SYSIN and SYSOUT data sets........................................................................... 454Letting users create their own JESSPOOL profiles............................................................................456Protecting JESNEWS.......................................................................................................................... 457Protecting trace data sets (JES2 only).............................................................................................. 458Protecting SYSLOG............................................................................................................................. 459Spool offload considerations (JES2 only)..........................................................................................459How RACF affects jobs dumped from and restored to spool (JES3 only)........................................ 459

Authorizing console access..................................................................................................................... 460MCS consoles..................................................................................................................................... 460Remote workstations (RJP/RJE consoles)........................................................................................ 460JES3 consoles.................................................................................................................................... 462

Controlling where output can be processed...........................................................................................462Authorizing the use of your installation's printers..................................................................................463Authorizing the use of operator commands........................................................................................... 464

Commands from RJE work stations...................................................................................................464Commands from NJE nodes.............................................................................................................. 464Who authorizes commands when RACF is active............................................................................. 465

Chapter 16. RACF and Storage Management Subsystem (SMS)............................467Overview of RACF and SMS..................................................................................................................... 467RACF general resource classes for protecting SMS classes...................................................................467Controlling the use of SMS classes......................................................................................................... 467

Refreshing profiles for SETROPTS RACLIST processing for MGMTCLAS and STORCLAS................469DFP segment in RACF profiles.................................................................................................................469

DFP segment in user and group profiles........................................................................................... 469DFP segment in data set profiles.......................................................................................................470How RACF uses the information in the DFP segments..................................................................... 471Controlling access to the DFP segment.............................................................................................471

Controlling the use of other SMS resources............................................................................................474

Chapter 17. RACF and TSO/E..............................................................................477TSO/E administration considerations..................................................................................................... 477Protecting TSO resources........................................................................................................................477Authorization checking for protected TSO resources.............................................................................480Field-level access checking for TSO........................................................................................................480Controlling the use of the TSO SEND command..................................................................................... 480Restricting spool access by TSO users....................................................................................................481TSO commands that relate to RACF........................................................................................................481Using TSO when RACF is deactivated..................................................................................................... 482

Chapter 18. RACF and z/OS UNIX.......................................................................483Defining group identifiers (GIDs).............................................................................................................483Defining user identifiers (UIDs)...............................................................................................................484

Listing UIDs and GIDs........................................................................................................................ 484Superuser authority........................................................................................................................... 485Setting z/OS UNIX user limits............................................................................................................ 485Protected user IDs............................................................................................................................. 486

Controlling the use of shared UNIX identities........................................................................................ 486Sharing IDs......................................................................................................................................... 486Defining the SHARED.IDS profile in the UNIXPRIV class..................................................................487Using the SHARED operand............................................................................................................... 487

Enabling automatic assignment of unique UNIX identities....................................................................488

xiii

Automatically assigning unique IDs using RACF commands............................................................488Automatically assigning unique IDs through UNIX services............................................................ 490RRSF considerations for automatic ID assignment.......................................................................... 492

z/OS UNIX performance considerations.................................................................................................494Converting to stage 3 of application identity mapping..................................................................... 494Using the UNIXMAP class and Virtual Lookaside Facility (VLF)........................................................494

Using UNIXPRIV class profiles to manage z/OS UNIX privileges...........................................................497Example of authorizing superuser privileges.................................................................................... 497Allowing z/OS UNIX users to change file ownerships.......................................................................498Allowing z/OS UNIX users to read or search directories.................................................................. 498Configuring the group owner for new UNIX files...............................................................................499

Protecting file system resources.............................................................................................................500Administering ACLs............................................................................................................................ 500

Restricting access to a zFS file system................................................................................................... 502Steps for restricting access to a zFS file system............................................................................... 503

Restricting execute access in a zFS or TFS file system.......................................................................... 504Steps for restricting execute access in a zFS or TFS file system...................................................... 504

z/OS UNIX application considerations....................................................................................................505Threads and security..........................................................................................................................505Application services and security......................................................................................................506Restrictions of RACF client ACEE support......................................................................................... 507

Auditing z/OS UNIX security events........................................................................................................507

Chapter 19. RACF and digital certificates........................................................... 509Overview of digital certificates................................................................................................................509

Public and private keys...................................................................................................................... 509X.509 certificates............................................................................................................................... 509Certificate hierarchies........................................................................................................................510Certificate formats............................................................................................................................. 511Using certificates with z/OS client/server applications.................................................................... 512Enabling client login using certificates.............................................................................................. 515

Using RACF to manage digital certificates.............................................................................................. 516Size considerations for public and private keys................................................................................ 517

Using the RACDCERT command to administer certificates....................................................................518Sharing the RACF database with a z/VM system...............................................................................519Controlling the use of the RACDCERT command.............................................................................. 519Examples of adding digital certificate information........................................................................... 522Examples of listing digital certificate information.............................................................................522Examples of listing digital certificate chain information...................................................................526Examples of checking digital certificate information........................................................................529Examples of altering digital certificate information.......................................................................... 534Examples of deleting digital certificates........................................................................................... 534

DIGTCERT general resource profiles.......................................................................................................535DIGTCERT profile names....................................................................................................................535Ownership of DIGTCERT profiles.......................................................................................................536RACLISTing the DIGTCERT class....................................................................................................... 536

RACF and key rings.................................................................................................................................. 536DIGTRING general resource profiles.................................................................................................537Sharing a private key in a key ring..................................................................................................... 538Using a virtual key ring....................................................................................................................... 538

RACF and z/OS PKCS #11 tokens........................................................................................................... 538Creating and populating PKCS #11 tokens....................................................................................... 539

Certificate name filtering.........................................................................................................................540Interpreting the X.500 directory information tree............................................................................ 541Creating certificate name filters........................................................................................................ 542Types of certificate name filters........................................................................................................ 543How RACF processes certificate name filters................................................................................... 546

xiv

Using an existing certificate as a model............................................................................................ 547Excluding a certificate by using the NOTRUST option.......................................................................547Mapping multiple user IDs using additional criteria......................................................................... 548

Automatic registration of digital certificates..........................................