RACF Users' News No. 46

RACF Users' News # 46

September, 1998 Newsletter

Issue No. 46

RACF is a trademark of IBM. This newsletter is not affiliated with IBM in any way.

Winner of the PROGRAM Golf Shirt Announced

The winning entry for most interesting list of programs to be protected in the PROGRAM class is Hayim Sokolsky. His list:

IEEMB860 (the master scheduler)
HASJES20 (JES2)
IRRMIN00 (RACF database format)
IATILNK (JES3)
ICHSEC00, ICHSEC05, ICHSEC06 (RACF)
IRRDBU00 (RACF database unload)

GARUG Has Great OnLine Newsletter

GARUG, the Georgia RUG, has not only a great web site (see page 8 for URL). They also have a great newsletter, which is published on the Internet. To subscribe. contact Nancy Geiger at racf@tsius.com or at (770) 534-6409. (You will need Acrobat Reader software, which is available for free, to read this newsletter.)

NEW YORK RUG Meeting Dates

On Wednesdays, from 1 to 5 PM:

October 21, 1998 (revised), and then January 13, 1999, and then April 14, 1999. Mark your calendars now. See inside for details.

BALTIMORE/WASHINGTON RUG Meeting Dates

On Thurdays, from 9AM to Noon:

October 22, 1998 (revised) and then January 14, 1999, and then April 15, 1999. Mark your calendars now. See inside for details.

Computer Security Policy Sharing Library to Change Hands

Denise Saylor of Lukens Steel has for many years maintained this sharing library. Many of us have benefitted from seeing what other people have in their policies. (And of course, have contributed to the library when their own policies were made final.) Denise has moved on to better opportunities in her company and will no longer be able to maintain the library. If you would like to be the official NYRUG Policy Sharing Library Coordinator, let Stu know. You will be contributing to the entire community. (You also get all the rights and privileges pertaining thereto, including having your name in this newsletter.) Denise, thanks for years of unselfish sharing. Good luck in your new position. We will miss you.

RACF Software Industry Re-Structures

We have recently seen several changes in the companies which sell software to support RACF reporting and admininistration. These include: an acquisition, a transfer, several new companies, and (as described in the next article) new, free software from IBM. Our head is spinning from all the changes, so if we left someone out (or didn't get the right updates to the Interesting Products columns), please let us know. (Please check the Interesting Products columns for contact information.)

Vanguard has acquired Sysdata, including the RACF software tool RIOVISION, also known as "RACF with a mouse".

RA-2 is now sold and supported by SEA in Long Island. (It used to be sold by ASPG, which still has a fine line of non-RACF tools).

New companies offering tools for RACF administration support include: Beta Systems, which offers Beta-88.

Another new offering is Megasolve, from Megasolve.

Yet a third offering is R-to-R, from Open Software Technologies.

We have has many requests for recommendations or comparisons of these products. However, we don't see any practical method to do this, given the number of products and the speed with which they all sprout new features.

We make the following recommendations for deciding on a product:

Get literature on them all and demo disks if you can. Look and feel can be a critical factor, and everyone has a different preference. This also lets you get a feel for what it's like to deal with each vendor.
Make a list of features and functions which are critical for your shop. Compare each product against the list.
Get the phone numbers of three or more satisfied customers for any major software purchase and PHONE THEM.
Compare prices, and if they're too high, consider building your own using some of the tools available for free from IBM.

A reliable source at Goldman Sachs denies the rumor that the HRUG (Harrisburg RACF Users Group) is about to undergo an IPO (Initial Public Offering). "Perhaps you misunderstood someone coughing," she commented.

IBM Offers New, Free Tools to Ease RACF Administration

You will want to learn about these tools from IBM, available over the Internet (http://www.s390.ibm.com/racf/):

RACTRACE, a software tool that traces all calls to RACF through SAF, so you can see who is calling RACF. This lets you figure out what the rules should be. It's also useful when you are getting weird results and need to know whether for example JES made the RACF call you think it's supposed to. This tool is in assembler language and will need some help from the system programmer, but is worth the effort.
DBSYNCH, a tool written in REXX, usually thought of for merging two or more RACF databases, but actually useful for any time you want to generate commands from existing RACF records. For example, if you wanted to "clone" a userid, by making several new userids exactly like it, a small amount of tailoring to DBSYNC will do the job, creating ADDUSER commands, PERMITS, and CONNECTS to do exactly what you want.
The DB2 to RACF Conversion Tool reads the DB2 security tables and generates RACF commands to create corresponding RACF rules for when you activate the RACF-DB2 exit.
Other tools. See the web site. Check it out periodically for new stuff.

More on LDAP

When IBM re-packaged RACF by putting it into a product called "OS/390 Security Server", they added a several free add-ons, including the Firewall software. The most recent of these is an LDAP, or Lightweight Directory Access Protocol, server. Here's how it works:

Think of all the times you have had to take information about a user from one source and incorporate it into another file: UADS into RACF, DB2 into RACF, CICS into RACF, people's phone numbers and departments, salary information, home addresses, and on and on and on. How would you like a single database with all the information you wanted to store about people, with the ability to add new fields to the records, with good read and write security over each field, and available to any program which needed the information? This is LDAP, a standard which is associated not with any vendor, but with the people who are figuring out how to integrate different computers from all vendors into a smoothly flowing client-server configuration.

LDAP uses a directory, which is a database designed to support more reads than updates. It is designed to hold lots of different types of information about people. It can be called from almost any program. It is designed so that if a given directory doesn't have the information you need, it can ask other directories on other computers for the information.

LDAP is a stripped-down, ("lightweight") version of the X500 protocol blessed by standards organizations like ISO and ANSI. You will see it in the next release of Windows NT (NT 5). You can already see it in Novell Netware 4. And now RACF works with it on the mainframe, as part of the OS/390 Security Server.

Interesting Products Column

We have not evaluated these, but think every RACF shop should know about them.

IBM Secureway has a new webpage. Try it at http://www.ibm.com/security.
IBM S/390 security also has a new webpage. Try it at http://www.s390.ibm.com/security/.
IBM offers new versions of DFSORT and RACFICE which allow you to define symbols to replace fields. IBM gives us the symbol definitions for RACF stuff like the output of the RACF Database Unload Utility already defined. Some very clever person seems to be guiding the design of these tools.

Fifteen Minute Project to Improve Your RACF

Check your GLOBAL table in DSMON to verify that it does what you want without undercutting critical rules. Here are some guidelines:

Review SETR LIST to make sure that the GLOBAL class is active and that GLOBAL checking is done for DATASETS (and probably not for anything else unless you have a good reason to do so).
You probably want a rule like this: &RACUID.*/ALTER to allow any user to access his or her own datasets without I/O to the RACF database.
Do not have a rule like this: SYS1.*/READ since this can undercut critical SYS1 dataset rules. It might for example give everyone read access to the RACF databases, which would let anyone start a brute force attack on your passwords. (See Kurt Meiser at the NYRUG or BWRUG.)
Make sure that other rules are there because you know that they reduce a significant number of I/Os. Use the RACTRACE program described above or just think through the number of RACHECKs for different names.
Review each GLOBAL rule to see if you can find a way for a hacker to use it to break your system.
Follow IBM's advice on GLOBAL DATASET rules for ISPF and TSO system datasets with READ access. These could have major performance effects.

Questions and Answers

Q Our DSMON report lists several RACF exits which our system programmer says are not on the system. We look in all the libraries where RACF exits can reside and do not see these exits. Is this a bug in DSMON?
A This one is not a bug in DSMON. (One of the nice features of DSMON is that it bases its reports whenever possible on actual control blocks in memory.) Browsing your MVS control blocks in memory from a TSO terminal (from the CVT to the RACF CVT to the addresses in the RACF CVT of the RACF exits) revealed that the pointers in your RACF CVT to the exits are not set to zero. This means to RACF (and to DSMON) that the exits exist on your system. Browsing the memory at those addresses revealed actual programs, whose copyright notice (in the first 100 bytes of the program itself) suggested the name of the programs' vendor. We suggest that you discuss with your sysprogs whether such a product is on your system, and whether it is installing RACF exits dynamically, and what those exits do. If your company has a policy that the Security Department be involved in pre-purchase review of all system software, you might consider enhancing and/or enforcing the policy.
Q (From the RACF List Server) Is there any risk for CICS security of making the default user for the region the same as the RACF userid for the region?
A (abridged from IBM's Phil Emrich, also on the RACF List Server) Yes, there is a risk, and I would never recommend having the same userid for these. If in an MRO situation, a terminal or session sign-on in the TOR should fail, leaving the terminal in session, the userid associated with the terminal or session will be the userid specified as the CICS default user for that region. If this is the same as the userid of the TOR region itself, it would have more power than you want. Such a condition could arise from an abend of your customized sign-on transaction prior to the successful completion of the EXEC CICS SIGNON processing.
You can limit this exposure by specifying a userid via the DFLTUSER parameter that has minimal authority to CICS transactions. It makes sense to have a uniquely defined userid as the default user for each CICS production region, and to give these userids minimal authority.

See If You Can Guess Where IBM Thinks the World Is Headed Based on This Partial List of Planned Features for OS/390 Version 2 Release 6:

Component Broker for OS/390
Parallel Sysplex Enhancements
eNetwork Communications Server Enhancements
Lotus Domino Go Webserver 5.0
Network File System Enhancements
UNIX System Services Functions and Performance Improvements
Distributed File Service Enhancements

If you add in LDAP (see above), and the free firewall you get with RACF, you would think that IBM is pursuing a strategy of linking the mainframe to everything else, with RACF doing a major part of the security.

NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS

NYRUG: At Our Next Meeting

This is our best slate of speakers in a long time: Walt Farrell of IBM's RACF development team will speak to us on "The Future of Information Security" They say that no one has thought longer, deeper, nor more thoroughly about RACF than Walt Farrell. They call him the "Pope of RACF". Kurt Meiser of ITSS, the author of the RACF password cracker program and of other nifty software, will speak on RACF Password Quality Considerations, including: unhashing RACF passwords, user experience guessing RACF passwords, and brute force attacks. Both of these speakers have rare knowledge and both know how to present it with humor.

Time: Wednesday, October 21, 1998 from 1PM until it's too late to go back to the office.

Place: Bank of New York, 1 Wall Street, 45th Flr to get to the 47th Floor (not the usual BONY site)

==============================================================

BWRUG (Baltimore/Washington RUG):

Our Next Meeting will be at IBM's luxurious conference facility in their Federal Systems Secure Computing offices in Bethesda, MD. We will have our best slate of speakers in a long time: Walt Farrell of IBM's RACF development team will speak to us on "The Future of Information Security". They say that no one has thought longer, deeper, nor more thoroughly about RACF than Walt Farrell. They call him the "Pope of RACF". Kurt Meiser of ITSS, the author of the RACF password cracker program and of other nifty software, will speak on RACF Password Quality Considerations, including: unhashing RACF passwords, user experience guessing RACF passwords, and brute force attacks. Both of these speakers have rare knowledge which they present with humor.

Time: Thursday, October 22, 1998 at 9:00.

Place: IBM's Bethesda offices NW of Wash., DC, where I270 and I495 come together. Call our host Mike Kearney of IBM at (301) 803-1719 if you need help with directions. From Baltimore, take I95 South to I495, heading West towards Bethesda. Exit from I495 onto I270, towards Rockville. Exit from I270 onto Old Georgetown Road, turning left at the light at the end of the ramp. Go two lights, and turn RIGHT onto Rock Spring Drive. Go one light and turn RIGHT onto Rockledge Drive. Turn LEFT at the second median break, 6710 Rockledge Drive. The parking garage is on your left, and the building is on your right. At the gated garage entrance, push the button and tell the guard you're going to the B/W RUG or RACF meeting. Parking is free. Walk to the 6710 lobby for sign-in.

From Virginia, take I495 North towards Rockville/Bethesda. Exit onto I270, heading towards Rockville/Gaitherburg. Exit from I270 onto Democracy Blvd turning RIGHT at end of the ramp. Go 3 lights and turn LEFT onto Rockledge Drive. Go STRAIGHT through 1st light (Rock Spring Drive), then turn LEFT at the second median break, 6710 Rockledge Drive. The parking garage is on your left, and the building is on your right. At the gated garage entrance, push the button and tell the guard you're going to the B/W RUG or RACF meeting. Parking is free. Walk to the 6710 lobby for sign-in.

From DC, West, take GW Pkwy to 495 and follow Virginia directions above. From DC, East, take New York Avenue to B/W Pkwy to I495 and follow Baltimore directions above.

Permanently Interesting Products Column

We have not evaluated these, but think every RACF shop should know about them.

MegaSolve's Security Server Administrator. Phone Bill Tomlinson at (818) 887-4994 for more info.
CONSUL/RACF Call Brent Phillips at (800) 323-0880 for information. On the Internet: http://www.consul.com
Free RACF Password Cracker Program. Email Kurt Meiser at kmeiser@ibm.net or mail request to ITSS, 11 Phillips Road, Poughkeepsie, NY 12603 USA. Please don't phone these requests. Thanks.
RA/2. Call Mario Labita at Software Engineering of America at (516) 328-7000.
RtoR from Open Software Technologies. Call Rosalie Eckhaus at (407) 788-6389 for info.
TOOLKIT. Call Palace Guard Software (562) 491-4600 for more info.
Beta System's software for RACF administration. Call (800) 777-9864 for more info.
Vanguard's Administrator and Sysdata' RIOVISION. Call (714) 939-0377 for more info.
SecurePass from Proginet to link RACF with Windows NT security. Call (516) 248-3366 for more info.

HG RACF and Security Training 1998 Schedule:

The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog.

  1)        HG04 Effective RACF Administration (formerly called How to Implement and
            Administer RACF Effectively)   ($1695)  
                        Nov. 16-20, 1998 in Washington, DC
                        Feb. 22-26, 1999 in Clearwater, FL

  2)        HG05 (formerly HG44) Advanced RACF Administration  ($850)     
                        Dec. 10-11, 1998 in Washington, DC

  3)        HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) (covers CICS,
            VTAM, DB2, JES, and other security along with MVS security, SAF, and OS/390)
            (3 days in 1998 for $1150)
                        Dec. 7-9, 1998 in Washington, DC
                        Mar. 1-3, 1999 in Clearwater, FL


  4)        HG40 Mastering Windows NT Security ($850)  
                        Oct. 19-20, 1998 in Washington, DC

RACF User Services (Key Phone Numbers / Addresses)

Technical support hotline, Meetings, Free Newsletter subscription, Seminar Catalogs: Stu Henderson - (301) 229-7187 5702 Newington Rd, Bethesda, MD 20816

RACF List Server on the Internet

To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:

subscribe racf-l john smith

to the address: LISTSERV@uga.cc.uga.edu or LISTSERV@UGA.BITNET

The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.

Other Internet places:

Georgia RUG home page on the Internet http://www.mindspring.com/~ajc10/garug.html
IBM RACF home page: http://www.s390.ibm.com/products/racf/racfh.html
IBM S/390 home page, including RACF: http://www.s390.ibm.com
IBM FTP site, including RACF stuff: lscftp.kgn.ibm.com
IBM Secureway site: http://www.ibm.com/security
IBMLink at: http://www.ibmlink.com
Beta Systems: http://www.betasystems.com
MegaSolve: http://www.megasolve.com
Proginet: http://www.proginet.com
Consul: http://www.consul.com
Vanguard (and SysData): http://www.viplink.com
the Henderson Group: http://www.stuhenderson.com/index.html