RACF (part of OS/390 Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.
Why Not Offer to Host a RUG Meeting?
Most RUGs work on a volunteer basis, and a great way to help share info with others is to host a meeting in your area.
To See Back Issues of This Newsletter on the Web
See page 8 of this issue for the Henderson Group home page.
To Download RACF Related Software From IBM
Use the IBM ftp site listed on the Page 8.
NEW YORK RUG Meeting Dates
On Wednesdays, from 1 to 5 PM: this quarter on October 27, 1999. The following meeting will be in January, 2000, if civisization is still working. Mark your calendars now. See inside for details.
BALTIMORE/WASHINGTON RUG
Meeting Dates
On Thurdays, from 9AM to Noon: this quarter on October 28, 1999. The following meeting will be in January, 2000. Mark your calendars now. See inside for details.
-------------------------------------------
More Changes in the RACF Software Industry
Technologic Software has acquired the Megasolve product line. For more info, contact Bill Tomlinson at (949) 509-5000.
Denver RUG Continues
Of the RUGs listed last issue, we understand that the Rocky Mountain RUG in Denver is still thriving. Call Don Huber at (303) 893-4701 for more info.
How Everything is Coming Together Under Our Noses
IBM lets us connect our mainframes to other platforms with a variety of techniques, including TCP/IP, OMVS, APPC, MQSeries, and others. To a large degree, IBM has unified the security of this under RACF. With the latest release of OS/390, we now can have Lotus Notes working with RACF 2.8 to synchronize userids and user identification. We also have Novell Directory Services on the mainframe working with RACF 2.8 integrate security. (These features use the new RACF resource classes NOTELINK and NDSLINK respectively. They also use a new FACILITY class rule named IRR.RUSERMAP.)
If you figure that you can't have good security on a computer which is not physically secure, it makes sense to have centralized security on the mainframe, locked inside the data center. If you have a lot of Novell LANs in your shop, or a lot of Lotus Notes, then you have to think about pulling the security all together with RACF. This means you need to learn about the new resource classes, and to learn all the Novell and Notes networks already in your shop. You'll have to learn about LDAP and DCE and Digital Certificates soon too. No wonder that no one wants your job. Do you think they'll have Windows NT on the mainframe soon? Or MS/DOS?
New Release of IMS Has RACF Security Enhancements
Release 6 of IMS includes security over DL/1 database fields and segments, performance improvement with RACF, and improved security documentation. With release 6, we get to use the xIMS resource classes like WIMS and PIMS which have existed in RACF for some time. These resource classes let you control access to data in DL/1 databases.
IMS 6 improves performance with RACF by saving all the RACF rules in a separate dataspace, which can be shared among regions. This is similar to what CICS release 4 does. As with CICS release 4, if you want to refresh the rules in memory, you issue: SETR RACLIST(xIMS) REFRESH.
IMS 6 gives us a great manual for addressing IMS security, with or without RACF. The title is IMS V6 Security Guide, order number SG24-5363. (This is a "redbook", and can be downloaded from IBM's redbook site on the Internet. See page 8.)
RACF 2.8 Has Lots of New Features, for Protected Userids, for UNIX, for Digital Certificates, for DB2, and for Others
We've documented several new features elsewhere in this newsletter. The next page lists several more:
For Protected Userids:
These userids are ones which cannot be used to logon (or start a batch job) with a password. For example, you might use these for started tasks, so that the userids can only be used for started tasks. (This would prevent someone from guessing (or remembering) the password of a started task's userid and using it on a batch job to hack your system.) You make a new userid be protected by specifying NOPASSWORD AND NOOIDCARD on the ADDUSER command. You can make existing userids be protected by using the same operands on the ALTUSER command. (Make sure first that no one is using these userids for some other purpose that requires a password.)
Protected userids cannot be revoked by entering a bunch of bad passwords. (Think of the VTAM started task for all you people in NorthEast Texas who try to logon as NET.) They make sense for started tasks (including RACF itself), for OMVS and TCP/IP daemons, for CICS default userids, and for CICS pre-defined terminal userids.
For OMVS or UNIX:
RACF 2.8 supports the new UNIXPRIV which lets us grant specific subsets of the SUPERUSER privilege to various users, thus avoiding the need to give SUPERUSER to the world.
RACF 2.8 adds new fields to the OMVS segment of the user record. These fields are used to limit the amount of resources a user can consume: CPUTIMEMAX, ASSIZEMAX (Stop that!! This represents address space size of course.), FILEPROCMAX, PROCUSERMAX, THREADSMAX, and MMAPAREAMAX.
For Digital Certificates:
RACF 2.8 uses the OCEP (Open Cryptographic Enhanced Plug-ins, which you get now as part of the OS/390 Security Server), to act as a limited certificate authority. RACF 2.8 has a new resource class DIGTRING, which represents a digital key ring. (You keep all your digital keys on a digital keyring, right?)
For DB2:
RACF 2.8 has new resource classes to protect additional types of object (such as schemas and stored procedures). The DB2 exit (IRR@XACS), which invokes RACF to control DB2 security, is now updated to control the TRIGGER privilege, which represents the ability to create a trigger on a table.
For Other Purposes: RACF 2.8 has these new resource classes: JAVA (to provide JAVA security), and SERVAUTH (to control the ability to connect to TCP/IP).
Corrections to Last Issue
We apologize for any confusion we may have caused with these mistakes in the last issue:
Fifteen Minute Project to Improve Your RACF
If you have any questions about RACF affecting system performance, here's a way to think about it. Ask the performance system programmer to show you the RMF statistics for the disk packs containing the RACF databases. RMF is like SMF, but has interval information about disk drives, including percent time busy, number of I/O requests queued up, and number of I/O requests. This information will either show a performance problem related to RACF I/O, or not. If not, relax. If yes, then try this to isolate the cause: Look at the SMF data to find the number of RACINIT requests (RACINIT is the RACF function which checks out your userid and password. It gets called every time you log on at a terminal through RACF, and every time you start a batch job or started task. It always gets logged to SMF for these calls. It also gets called when a batch job is read into your system.) You might for example see a peak in RACINIT activity around 9AM, when many users log on to start the day.
See if there is a correlation between the number of RACINITs and the number of I/O requests to the disk drives containing the RACF datasets. You might estimate two I/Os for each RACINIT, one to read in the user record, and one to write it out again. If your have set up RACF with sufficient buffers, there should be little or no I/Os to read the index records needed to find the user record. As a rule of thumb, you might estimate that a typical disk I/O takes about 30 milliseconds (faster with RAID or electronic cache devices). From this information, you should be able to determine whether any performance bottleneck is due to too many RACINITs, too many I/Os per RACINIT, or too many milliseconds per average I/O. You can then work with your performance system programmer to figure out how to improve the situation.
You can do the same sort of analysis with the RACHECK function, the one which answers the question, "Can this user do x?". You have to do this one resource class at a time, probably starting with the DATASET class. You can use the SETR LOGOPTIONS command to specify (for a short interval only) that all DATASET RACHECKs should be logged to SMF. Then turn the logging off, again using SETR LOGOPTIONS.
==============================================================
NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS
NYRUG: At Our Next Meeting
Our next meeting will be hosted by Blockade Systems Corporation, which is also providing members with a free, pre-meeting lunch and product demonstration, as well as providing our mid-meeting break refreshments. Blockade's product presentation precedes and is completely separate from our regular meeting. To attend the free lunch, please RSVP by e-mail or phone. E-mail to daustin@blockade.com or phone Deborah Austin at 888-898-9949 (toll-free 9-5PM EST) Specify which meeting (NY or Bethesda, MD), your name, company, and other contact details. At the regular meeting, our speakers will be Mark Nelson of IBM on the new features in RACF 2.8 and digital certificates AND Hayim Sokolsky of Vanguard on the subject: "How to Secure SDSF with RACF". As always, we will have a question and answer session with some of the keenest RACF minds in the State to answer questions
Time: Wednesday, October 27, 1999. The lunch and product presentation will begin at noon. The regular meeting starts at 1PM until it's too late to go back to the office.
Place: The New York Marriott Marquis, 1535 Broadway [between 45th and 46th Streets, at 7th Avenue and Times Square], in the Odette Wilder Room on the 4th Floor
==============================================================
BWRUG (Baltimore/Washington RUG):
Our next meeting will be hosted by Blockade Systems Corporation, which is also providing members with a free, pre-meeting breakfast and product demonstration, as well as providing our mid- meeting break refreshments. Blockade's product presentation precedes and is completely separate from our regular meeting. To attend the free breakfast, please RSVP by e-mail or phone. E-mail to daustin@blockade.com or phone Deborah Austin at 888-898-9949 (toll-free 9-5PM EST) Specify which meeting (NY or Bethesda, MD), your name, company, and other contact details. At the regular meeting, our speakers will be Mark Nelson of IBM or Stu Henderson on the new features in RACF 2.8 and digital certificates AND Hayim Sokolsky of Vanguard on the subject: "How to Secure SDSF with RACF". As always, we will have a question and answer session with some of the keenest RACF minds in the Capital area to answer questions
Time:
Thursday, October 28, 1999. The breakfast and product presentation will be from 7:45 AM to 9AM. The regular meeting will be from 9AM to noon.
Place:
Marriott Residence Inn at 7335 Wisconsin Ave in Bethesda, MD, phone (301) 718- 0200. This is at the Bethesda stop of the RED LINE of the Metro (which goes quickly to Union Station for MARC and Amtrak riders). By car: Take the beltway I495 to Exit 34 (Wisconsin Ave.) This is NW of DC, near where I270 joins I495. Take Wisconsin Ave South (aka Route 355 South) about 2.5 miles. Watch for the Hyatt/Bethesda Metro on the right. Just past the Hyatt, take the next left onto Montgomery Avenue. Go one block and take the first right onto Waverly Avenue. Waverly wraps around to the front of the hotel where there is valet parking.
Permanently Interesting Products Column
We have not evaluated these, but think every RACF shop should know about them.
Yet Another Free Software Product Inside Each Box of RACF!!
You know that when you buy RACF, you actually buy the "OS/390 Security Server", which includes RACF. It also includes valuable free software products such as the OS/390 Firewall, the LDAP Server, and the DCE Security Server. Now, with RACF 2.8, you also get the Open Cryptographic Enhanced Plug-In (OPEC) software. This software is used with digital certificates and OMVS.
HG RACF and Security Training 1998 Schedule:
The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog.
1) HG04 Effective RACF Administration (formerly called How to Implement and Administer RACF
Effectively) ($1695)
Sept.27-Oct. 1, 1999 in New York City
Nov. 15-19, 1999 in Washington, DC
Feb. 21-25, 2000 in Clearwater, FL
2) HG05 Advanced RACF Administration ($850)
Sept. 21-22, 1999 in Washington, DC
3) HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) (covers CICS, VTAM, DB2, JES, and
other security along with MVS security, SAF, and OS/390)
($1150)
Oct. 18-20, 1999 in Washington, DC
4) HG40 Mastering Windows NT Security (covers new security features
with the new release of NT, NT 5, aka Windows 2000) ($1195)
Dec. 13-15, 1999 in Bethesda, MD (near Washington, DC)
RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)
RACF List Server on the Internet
To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:
subscribe racf-l john smith
to the address: listserv@listserv.uga.edu
The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.
Other Internet places: