Release 2.9 of RACF Wasn't Out By the Last Issue

There may be no RACF 2.9, even though there was an OS/390 2.9. However, IBM gave us some APARS for 2.8 that are great (and described later in this issue). Any guesses on what RACF release we will get in the Fall?

For Back Issues of this Newsletter

Go to www.stuhenderson.com and follow the menu.

Northern Californian RACF Users Group

is named RUG-INC. For info, call Len Bridges (510) 464-6347.

NEW YORK RUG Meeting Dates

On Wednesdays, from 1 to 5 PM: this quarter on July 12, 2000. The following meeting will likely be October 19, 2000 Please note that this is a Thursday because of a special speaker, Phil Emrich. Mark your calendars now. See inside for details. See also "New Day of Week..." on next page.

BALTIMORE/WASHINGTON RUG Meeting Dates

On Thurdays, from 9AM to Noon:

The BWRUG will not meet in July. The next meeting will likely be October 20, 2000. Please note that this is a Friday, because of a special speaker, Phil Emrich. Mark your calendars now. See inside for details. See also "New Day of Week..." on next page.

-------------------------------------------

IBM Security Conference Oct. 2-6, 2000, Orlando, FL

For more details, call (800) 426-8322 or see: www.ibm.com/services/learning/conf/sw

Congress Passes Law Supporting Digital Signatures for E-Commerce

Since RACF supports digital signatures, you might want to learn more about this if your organization will ever be doing business over the Internet.

New Day of Week for NYRUG and BWRUG

The NYRUG has been meeting on a Wednesday, the BWRUG on the following Thursday. In January, we will probably change this to Tuesday for the NYRUG, with the BWRUG on the preceding Monday. Please send comments and questions to Stu at (301) 229-7187.

Important New APARs for RACF 2.8 Including the RESTRICTED User Attribute

This pair of APARs (OW40129 and OW40130) provide two important new functions: The first is improved support for digital certificates, which we will address in a future issue. The second is a new user attribute: RESTRICTED. Think ALU userid RESTRICTED and ALU userid NORESTRICTED. A userid with this attribute is only granted access to a dataset or resource if its userid or group is explicitly permitted to the dataset or resource rule. This means that the RACHECK and FRACHECK basic RACF functions will NOT grant such userids access based on:

• UACC
• ID(*)
• GLOBAL rules

(Note that the RESTRICTED attribute has no effect for UNIX files in the HFS, nor for datasets and resources marked WARNING.

This is an elegant solution to a problem many of us face when we connect the mainframe to the Internet: we have RACF userids assigned to "any user who comes in from the web who asks to look at our marketing home page". If we have not yet set the UACCs to all our sensitive datasets and resources to NONE, then such users could conceivably read our sensitive data. If we make these userids RESTRICTED however, they can only access data to which they have been explicitly permitted. Thanks IBM.

What You Need to Know About Distinguished Names

Distinguished Names are names that can describe someone to any computer in your organization. Distinguished names are made up of RDNs (Relative Distinguished Names) separated by slashes. Each RDN has an attribute name and an equals sign. For example, C=US is an RDN that identifies the country as the US. The C attribute always stands for "country". Other attributes include: O for "organization"; L for "location"; CN for "common name"; and OU for "organizational unit".

Imagine a user named Stu Henderson. His common name would likely be CN=Stu Henderson. If he works for the Henderson Group in the United States, he might have these RDNs: O=Henderson Group and >B>C=US. If within the Henderson Group, he works in the Consulting branch of the Operations department, then he might also have these RDNs: OU=Operations and OU=Consulting.

His full distinguished name might be:

/.../C=US/O=Henderson Group/OU=Operations/OU=Consulting

How To Think About Internet Users Connecting to the Mainframe

Consider at least three categories of Internet mainframe user:

• 1) System and application programmers who need to access the system in emergencies to fix problems over the Internet. These users have userids and passwords, and have been authorized system access by their managers. The only problem is that you don't want mainframe passwords going over the Internet without being encrypted. You must enforce encryption between their laptops and the mainframe. Learn more about IBM's Host on Demand product and the encryption built into OS/390 and IBM's TCP/IP. Learn about SSL (Secure Sockets Layer) and VPN (Virtual Personal Networks).

• 2) Potential customers for your organization's products and services. These users could be anywhere on the Internet and you want to make it easy for them to read the advertising material on your home page. You don't know who they are. You will NOT want to make them "fill out a Userid Request Form and get it signed by a Manager".

  You will instead use the control file for the WorldWideWeb server on the mainframe to specify: "If anyone comes in over the Internet and wants to read the advertising we have in file so and so, then automatically give them the RACF userid JOHNQ (or whatever), and don't require a password. In fact, don't even make them enter the userid. If they ask to read that file, log them on under the covers and call them JOHNQ without their even knowing it." You can use the name JOHNQ or any other name that suits you. You could have several different userids, each for a different marketing file. But you must define the userid as a RACF userid. If you want it to access UNIX files under USS, then you must give that userid an OMVS segment in the RACF database. MAKE THIS USERID BE RESTRICTED SO THAT IT CAN'T ACCESS FILES UNLESS YOU EXPLICITLY PERMIT IT.

• 3) Customers who have accounts with your organization. For example, bank customers, insurance company policy holders, or automobile drivers who want information about their records with the Department of Motor Vehicles. These users will also not be willing to fill out a form to get a userid. You must work with your Marketing Department or whoever, so that whenever a customer opens an account, he gets defined quickly, easily, and automatically to the system. (Think of the process a bank follows when you open an account and they send you an ATM card and a PIN number for it.) Unlike the category 2 users, these users must be reliably identified so you can let each one see only his or her own records. Passwords will not be sufficient for this. Perhaps you will use digital certificates (perhaps with RACF as the Certifying Authority). You should be discussing this with your Marketing Department (and perhaps Legal and Risk Management too) now.

Imagine That When You First Heard About the "I Love You" Virus

on the morning news, you had immediately phoned the guy who administers your firewalls. You gave the secret password to prove to him who you are, and asked him quickly to add an additional filter to the firewall.

The filter would reject all incoming e-mail (that is, from the outside Internet through the firewall to someone on your internal internet). The filter would allow all internal-to-internal email (passing through all e- mail from someone on your internal internet to someone else on your internal internet). It would also allow all outgoing e-mail (from your internal internet to the outside Internet).

Later, when you get to work, you learn more details about the virus. Working with your firewall administrator, you decide to replace the filter with a better one, one which simply rejects any e-mail message whose subject is "I Love You". You and the firewall administrator would both look like heroes. Of course, you had earlier reminded every user not to open attachments of emails, even from people they know and trust, without going through some attachment quality checker.

You say that you don't know the name of your firewall admin? Then it's time to buy him lunch. You say that there is no single set of firewalls that provides a single chokepoint between the outside Internet and your internal network? Then it's time for someone to coordinate firewall configurations for your entire organization. You want to be part of that task force, or even to initiate it. This is all true, assuming that you want to be a Data Security Officer and not just a RACF clerk.

(Apologies to John Lennon)

Interesting Products Column

We have not evaluated these, but think every RACF shop should know about them:

• Megacryption from ASPG lets you encrypt and decrypt any file in your MVS environment. For more info, call (800) 662-6090 or see www.aspg.com. .
• The Security Bridge from Security Integration provides a patented method for linking RACF, ACF2, or TopSecret to legacy application security. If you have an old system whose security you would like to integrate with RACF, you will want to learn more about this product line. For more info, call (800) 888-5031, or see www.securityintegration.com. 

NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS

NYRUG: At Our Next Meeting

Our next meeting will be hosted by IBM. Speakers will include: Mark Nelson of IBM on the latest RACF features, on the real skinny on Erase-on- Scratch, and on nifty new stuff with digital certificate filtering; Linda Ryan-Doolittle of IBM (who actually does a whole lot, and who is the product manager for RACF) on future directions for RACF; and Hector Coca of Maersk Data Systems on viruses and how to stop them. As always, we will have a Q&A session with some of the best RACF minds in the tri-state area to answer your questions.

Time: Wednesday, July 12, 2000 from 1PM until it's too late to go back to the office.

Place: IBM in Manhattan, 590 Madison Avenue (The cross street is about 56th or 57th.)

(Please note also that the speaker for our next meeting will likely be Phil Emrich. This meeting will be hosted by Vanguard Integrity Professionals on October 20th, a Friday. Phil is perhaps the best authority on RACF with CICS in the world, both in terms of technical depth and breadth, and also in terms of skill at explaining complex subjects simply. He may speak to us on RACF and CICS, or RACF and MQ Series, or some other topic. See details in next issue. Also, VIP may again offer a drawing for a Palm Pilot.)

==============================================================

BWRUG (Baltimore/Washington RUG):

The BWRUG will not meet in July. Our next meeting should be October 20, 2000. Please note that this is a Friday to accomodate a special speaker: Phil Emrich, formerly of IBM, and now of Vanguard Integrity Professionals. (See more info earlier in this issue.) Please note also that starting in 2001, the BWRUG will start meeting on ... instead of Thursdays.

(Please note also that the speaker for our next meeting will likely be Phil Emrich. This meeting will be hosted by Vanguard Integrity Professionals on October 20th, a Friday. Phil is perhaps the best authority on RACF with CICS in the world, both in terms of technical depth and breadth, and also in terms of skill at explaining complex subjects simply. He may speak to us on RACF and CICS, or RACF and MQ Series, or some other topic. See details in next issue. Also, VIP may again offer a drawing for a Palm Pilot.)

Wherever You Live or Work:

Why not see if your organization can host a meeting for your local RUG?

Permanently Interesting Products Column

We have not evaluated these, but think every RACF shop should know about them.

• The Security Bridge from Security Integration provides a patented method for linking RACF to legacy application security. For more info, call (800) 888-5031, or see www.securityintegration.com. 
• Blockade. Call Mike Forani at (888) 898-9949 or http://www.blockade.com. 
• PassGO (Formerly CKS) Call Amy Ricker (978) 635-1588 or www.passgo.com. 
• Lockstar, PKI tools. Call Lee Ann Morse at (973) 249-9410 or www.lockstart.com. 
• ASPG's ERG (Easy RACF Query). Call Cathy Thompson at (800) 662-6090 or cathyt@aspg.com  for more info.
• Technologic Software's Smart Security Administrator (formerly MegaSolve SSA) and Smart Security Reporter (formerly LT Technologies' Security Server SMF Reporting). Phone Bill Tomlinson at (949) 509-5000 for more info. OR http://www.megasolve.com 
• CONSUL/RACF including CICS Toolkit. Call (888) 323-0880 for information. On the Internet: http://www.consul.com 
• Entact Information Security offers tools for cross- platform administration, auditing, and authentication. Products include: eAudit, eAdmin, eRequest, eRole, eRights, eUniPass, eReset, and eAPI. For info call Brent Phillips at 1-877-368-2281 (toll-free) or see http://www.entactinfo.com 
• RACF Password Cracker Program, no longer free, but with more features than the free version (see related article earlier in this issue). Email Peter Goldis at pgoldis@world.std.com or look at www.goldisconsulting.com 
• RA/2. Call Mario Labita at Software Engineering of America at (516) 328-7000.
• ICU MVS Penetration Analysis Tool from Janus Associates. www.janussecurity.com. 
• RtoR from Open Software Technologies. Call Everett Bowyer at (800) 226-3670 or http://www.open-softech.com/rtor.htm  for info.
• Beta System's software for RACF administration. Call (800) 777-9864 for more info. OR http://www.betasystems.com 
• Vanguard's Administrator and Sysdata' RIOVISION. Call (714) 939-0377 for more info. OR http://www.viplink.com 
• SecurePass from Proginet to link RACF with Windows NT security. Call (516) 248-3366 for more info. OR http://www.proginet.com 

Fifteen Minute Project to Improve Your RACF

Learn about the SERVAUTH resource class. You use it to control access to TCP, to specific TCP and UDP ports, and to the network. Once you understand how it works, discuss it with your firewall administrator over lunch. (More info on SERVAUTH coming in a future issue.)

HG RACF and Security Training 1998 Schedule:

The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog.

            The Henderson Group offers its RACF and computer security/audit seminars around the
country and on-site too.  See the details below or call (301) 229-7187 for a free seminar catalog.  


  1)        HG04 Effective RACF Administration ($1695)  

  (REVISED)   Oct. 23-27,             2000 in New York City
              Dec. 4-8,              2000 in Bethesda, MD (near Washington, DC)
              Feb. 19-23,            2001 in Clearwater, FL

  2)        HG05 Advanced RACF Administration  ($1185)

              May  22-24,            2000 in Denver, CO
              Oct. 4-6,              2000 in Bethesda, MD (near Washington, DC)


  3)        HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) 
            (covers CICS, VTAM, DB2, JES, and other security along with MVS 
            security, SAF, and OS/390)             ($1190) 

              Apl. 5-7,              2000 in New York City 
              Nov. 8-10,             2000 in Bethesda, MD (near Washington, DC)


  4)        HG40 Mastering Windows 2000 (NT) Security   (Windows 2000 is the 
            new name for Windows NT Release 5, or NT5; this class covers NT4 
            security as well as Windows 2000 security) ($1195)

  (REVISED)   May 31-June 2          2000 in New York City 
              Sept. 27-29,           2000 in Bethesda, MD (near Washington, DC)

RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)

• Technical support hotline, Meetings, Free Newsletter subscription, Seminar Catalogs: Stu Henderson - (301) 229-7187 5702 Newington Rd, Bethesda, MD 20816

RACF List Server on the Internet

To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:

subscribe racf-l john smith

to the address: listserv@listserv.uga.edu

The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.

Other Internet places:

• Georgia RUG home page on the Internet http://www.mindspring.com/~ajc10/garug.html 
• IBM RACF home page: http://www.s390.ibm.com/products/racf/racfh.html 
• IBM S/390 home page, including RACF: http://www.s390.ibm.com 
• IBM FTP site, including RACF stuff: (corrected) ftp.s390.ibm.com  (Log in as anonymous and issue this command to change the current directory: cd os390\racf)
• IBM Redbooks: http://www.ibm.com/redbooks 
• IBM Secureway site: http://www.ibm.com/security 
• IBMLink at: http://www.ibmlink.com 
• Other vendors contact info listed earlier under "Permanently Interesting Products"
• the Henderson Group: www.stuhenderson.com 

Copyright ©: 2000, Stuart C. Henderson
Revised - June 27, 2000
URL:www.stuhenderson.com