Texas RACF Users Group Going Strong Under New President

Carolyn Hopkins is the new TRUG President. To join or get more info, call her at (713) 831-8010. Tell her W says Hello.

To Get a Free Subscription to this Newsletter

Phone Stu at (301) 229-7187 with your request, leaving your name, postal address, and phone. For back issues, check his website: the Henderson Group at: http://www.stuhenderson.com 

No RACF User News in June

We have gone to a three-issues per year schedule. Next issue will be in September, 2001. Have a great summer!

NEW YORK RUG Meeting Dates

Tuesday, April 3, 2001 from 1 to 5PM. Mark your calendars now. See inside for details. The meeting after that will be in October, probably on a Tuesday.

BALTIMORE/WASHINGTON RUG Meeting Dates

Monday, April 2, 2001 from 1 to 5PM. Mark your calendars now. See inside for details. The meeting after that will be in October, probably on a Monday.

-------------------------------------------

Here's a Neat New Source of RACF Info

Several IBMers have placed the handouts from various presentations they make on the web. You can check them out at: http://www.ibm.com/s390/racf/presentations.html 

The next big Vanguard Conference

will be in Reno, June 3-8, 2001. For contact info, please see page 7.

IBM Secureworld Security Conference

will be held August 27-31 at the Marriott Wardman hotel in Washington, DC.

Correction to Comments on TSOAUTH Class

Last issue under the Fifteen Minute Project, we misstated the purpose of the rule named RECOVER in the TSOAUTH resource class. Alert reader Russell West was kind enough to point out that this rule represents the ability to do a TSO recovery, that is the ability to salvage a user's TSO address space, for example when your terminal gets disconnected and you want to reconnect. Thanks Russell.

How Do I "Hard-Revoke" a Userid When I Don't Have Third Party Software?

If you don't want the risk of a fired employee's userid being resumed inadvertantly, if you have a third party product like Beta-88, Vanguard, CONSUL, or RA-2, you can hard-revoke the userid. If you don't, here are some suggestions:

• Revoke the userid; mark it RESTRICTED.
• Mark it protected, that is NOPASSWORD and NOOIDCARD. This is better than changing the password, since resuming the userid still won't let people log on to it with a password.
• Give the userid the AUDITOR attribute. If your Help Desk has permission to resume userids only from a FACILITY class rule, they can't resume userids with AUDITOR, (nor SPECIAL nor OPERATIONS).
• Delete all his segments (for example, to cut him out of TSO)
• Have a holding group of terminated userids. Connect him to it. Make it his default group. Remove him from all other groups. Enforce the rule that you never give permission to userids, only to groups.

Why Would I Use the FACILITY Class Rules Named IEAABD.DUMPAUTH and IEAABD.DMPAUTH?

As we start to make greater use of encryption, we will need to be absolutely certain that no one can learn the encryption keys, especially the keys used to prove the identity of our server, and to support SSL over the Internet. These FACILITY class rules control the ability to get dumps of memory containing controlled programs and memory for address spaces which contain tasks executing with protect keys lower than 8. You will also want to use dataset rules named SYS1.DUMP%% with a UACC of NONE. See the IBM manual: RACF Security Administrators Guide.

So What Should I Expect When We Convert from OS/390 to z/OS?

Q: Will they have to break down the wall of the data center to bring in the new hardware?

A: No, it runs in the same boxes as before.

Q: Will they then have to put in new circuit boards in the CPU box?

A: No, they just put in new microcode. This is the logic which tells the circuit boards how to execute individual instructions (that is, instructions at the level of LOAD REGISTER and MOVE CHARACTERS).

Q: Is my vast knowledge of JCL, RACF, MVS, and CICS now obsolete?

A: No, these all stay the same. New features may introduce new operands, but it won't be more difficult than the upgrade to OS/390.

Q: So, what's the big deal with z/OS?

A: It gives you more power, more up-time, more flexibility,5 and greater ability to connect over networks. (Did we mention that RACF already gives us great security over USS, TCP/IP, and the Websphere web server?) It also give us 64-bit addressing, which means that the highest number we can address in memory is much, much bigger than before. z/OS still supports 31-bit and 24- bit addressing; it just gives us the option of 64-bit addressing too.

Q: When the name z/OS comes as the first word in a sentence, should we make the z be upper case or lower case?

A: IBM is aware of this problem and has their very best people working on it.

Q: I'm an Assembler Language Programmer, so what does this mean to me? Many control blocks will have changed formats to accommodate 64-bit addressing. However, this should cause no problem for anyone, since we have all stopped using programs which rely on the layout of control blocks which IBM says are not part of the standard programming interface. We all learned our lesson when we converted to MVS/XA (which is when we first were able to use 31-bit addressing).

Note that the PSW (Program Status Word) can now be 16 bytes long instead of 8, and the reserved addresses in low memory now can take 8K instead of 4K. Previous Assembler Language instructions work the same, but some have additional versions to support 64-bit addressing (often marked by adding a G to the instruction name). For example, we have always used the A instruction to add a fullword to a register, and AH to add a half-word (two bytes) to a register. With 64-bit addressing, we now have the instruction AG to add two words (64-bits) to a register. Registers are now 64 bits wide. However, they look the same, since we ignore the leftmost 32 bits except when we are in 64- bit mode. This means that the right-most 32 bits of each register are used anytime we are in 24 or 31-bit addressing mode, just as if it were a regular old 32 bit register.

Interesting Products

We haven't evaluated these, but believe that every RACFer should know of them.

• ASPG announces SECURE/FTP, a software product that improves FTP security in OS/390 data centers by interfacing with RACF, ACF2, or TopSecret. SECURE/FTP also allows automatic scheduling of programs to execute whenever a specified file transfer completes. For more info, call (800) 662-6090.
• ASPG announces SMFUTIL a new utility to automate SMF dumping and insure SMF integrity. Call (800) 662-6090 for more info.

Fifteen Minute Project to Improve Your RACF

Review your SETROPTS options for datasets. The following are considered by many knowledgeable people to be essential for effective security:

• PROTECTALL (requires every dataset to be defined to RACF)
• TAPEDSN (provides protection for tape datasets, as well as disk datasets, based on dsname, using the same DATASET rules used for disk datasets)
• Rule named ICHBLP in the FACILITY class to control use of Bypass Label Processing. (Anyone who can BLP can bypass RACF protection for all tape datasets.) (Requires TAPEVOL class to be active also.) This rule of course doesn't show in the SETR LIST, so you need to issue RL FACILITY ICHBLP ALL.
• Erase-On-Scratch ensures that data in disk datasets is obliterated when the dataset is deleted. Otherwise the data can be read by whoever happens next to allocate the same cylinders of the disk pack. (Common practice is to activate this option only for selected datasets. Please note that the performance problems once associated with this feature are all but gone, due to hardware improvements.)
• (Useful, but perhaps not essential) SETR PREFIX to set a prefix to be used as the high level qualifier for dsnames which have only one qualifier (for example, DSNAME=GEORGE)

To read the output of the SETR LIST command, (whose format is almost impossible to read), consider breaking it into five parts (in your head, of course). The first part is the first line. The second part is all the information about resource classes, which goes on for several pages. The third part describes dataset and user options (including PROTECTALL and others listed above). The fourth section describes password options, and the fifth (last) section is miscellaneous stuff that doesn't fit anywhere else. Start by marking the output into five sections, then look just at the third section for the items listed above.

Note that the way options are described in SETR LIST output often uses completely different words from the words you use in setting the options. For example, SETR TAPEDSN results in a listing describing TAPE DATASET PROTECTION IS ACTIVE. Other discrepancies are so egregious that we can't print them in a family publication. Just laugh when you see them, and think "IBM can't fool me."

-------------------------------------------

NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS

NYRUG: At Our Next Meeting

Our next meeting will be hosted by Vanguard Integrity Professionals, which is also providing members with a free, pre-meeting lunch and product demonstration. Vanguard's product presentation precedes and is completely separate from our regular meeting. The product presentation will describe QS/390 and other VIP products. Our speaker will be: Phil Emrich of Vanguard on "RACF Security for MQ Series on OS/390". As always, we will have a question and answer session with some of the keenest RACF minds in the State to answer questions.

Time: Tuesday, April 3, 2001. The lunch and product presentation will begin at noon. The regular meeting starts at 1PM until it's too late to go back to the office.

Place: The Holiday Inn at 440 West 57th Street in Manhattan, phone (212) 581-8100. Lunch is in the restaurant, the meeting is in the Renaissance A room.

==============================================================

BWRUG (Baltimore/Washington RUG):

Our next meeting will be hosted by Vanguard Integrity Professionals, which is also providing members with a free, pre-meeting lunch and product demonstration. Vanguard's product presentation preceeds and is completely separate from our regular meeting. The product presentation will describe QS/390 and other VIP products. At the regular meeting, our speaker will be: Phil Emrich of VIP on RACF and CICS. Phil will describe the new security facilities recently added to CICS Transaction Server for OS/390. He will also explain Security for CICS and the Web. As always, we will have a question and answer session with some of the keenest RACF minds in the Capital area to answer questions

Time: Monday, April 2, 2001. The regular meeting will be from 1PM to 5PM, and the free lunch and product demo will be from noon to 1PM.

Place: Marriott Residence Inn at 7335 Wisconsin Ave in Bethesda, MD, phone (301) 718-0200. This is at the Bethesda stop of the RED LINE of the Metro (which goes quickly to Union Station for MARC and Amtrak riders). By car: Take the beltway I495 to Exit 34 (Wisconsin Ave.) This is NW of DC, near where I270 joins I495. Take Wisconsin Ave South (aka Route 355 South) about 2.5 miles. Watch for the Hyatt/Bethesda Metro on the right. Just past the Hyatt, take the next left onto Montgomery Avenue. Go one block and take the first right onto Waverly Avenue. Waverly wraps around to the front of the hotel where there is valet parking.

==============================================================

What Comes After Kilobyte and Megabyte?

Since z/OS has 64 bit addressing, we need to learn some new words for big big amounts of memory. Here they are:

• Megabyte equals a little over a million bytes (2 raised to the 20th power)
• Gigabyte equals a little over a trillion bytes (2 raised to the 30th power)
• Terabyte equals a little over a million, million bytes (2 raised to the 40th power)
• Petabyte equals a little over a trillion, million bytes (2 raised to the 50th power)
• Exabyte equals a little over a trillion, trillion bytes (2 raised to the 60th power)

  ====> Note that 2 raised to the 64th power is 16E, that is 16 exabytes.

Permanently Interesting Products Column

We have not evaluated these, but think every RACF shop should know about them.

• The Security Bridge from Security Integration provides a patented method for linking RACF to legacy application security. For more info, call (800) 888-5031, or see www.securityintegration.com. 
• Blockade. Call Mike Forani at (888) 898-9949 or http://www.blockade.com. 
• PassGO (Formerly CKS) Call Amy Ricker (978) 635-1588 or www.passgo.com. 
• Lockstar, PKI tools. Call Lee Ann Morse at (201) 508-3200 or www.lockstar.com. 
• ASPG's Megacryption and ERG (Easy RACF Query). Call Cathy Thompson at (800) 662-6090 or cathyt@aspg.com  for more info.
• Technologic Software's Smart Security Administrator (formerly MegaSolve SSA) and Smart Security Reporter (formerly LT Technologies' Security Server SMF Reporting). Phone Bill Tomlinson at (949) 509-5000 for more info. OR http://www.megasolve.com 
• CONSUL/RACF including CICS Toolkit. Call (888) 323-0880 for information. On the Internet: http://www.consul.com 
• Entact Information Security offers tools for cross- platform administration, auditing, and authentication. For info call Brent Phillips at 1-877-368-2281 (toll-free) or see http://www.entactinfo.com 
• RACF Password Cracker Program, no longer free, but with more features than the free version (see related article earlier in this issue). Email Peter Goldis at pgoldis@world.std.com or look at www.goldisconsulting.com 
• RA/2. Call Mario Labita at Software Engineering of America at (516) 328-7000.
• ICU MVS Penetration Analysis Tool and consulting from Janus Associates. Call (203) 251-0221 or www.janusassociates.com. 
• RtoR from Open Software Technologies. Call Everett Bowyer at (800) 226-3670 or http://www.open-softech.com/rtor.htm  for info.
• Beta System's software for RACF administration. Call (800) 777-9864 for more info. OR http://www.betasystems.com 
• Vanguard's Administrator and Sysdata' RIOVISION. Call (714) 939-0377 for more info. OR http://www.viplink.com 
• SecurePass from Proginet to link RACF with Windows NT security. Call (516) 248-3366 for more info. OR http://www.proginet.com 

HG RACF and Security Training Schedule:

         The Henderson Group offers its RACF and computer security/audit seminars around the
country and on-site too.  See the details below or call (301) 229-7187 for a free seminar catalog.  
To see what students say about these classes, please go to 
www.stuhenderson.com .



  1)     HG04 Effective RACF Administration ($1795)  

                  May  7-11,       2001 in Atlanta, GA   
                  Sept.10-14,      2001 in New York City 
                  Nov. 5-9,        2001 in Clearwater, FL


  2)     HG05 Advanced RACF Administration  ($1185)                             

                  Mar. 28-30,      2001 in Clearwater, FL
                  Oct. 17-19,      2001 in Atlanta, GA   



  3)     HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) (covers CICS,
         VTAM, DB2, JES, and other security along with MVS security, SAF, and OS/390)
         ($1190)                   

                  May  16-18,      2001 in Atlanta, GA   
                  Sept. 5-7,       2001 in New York City 



  4)     HG40 Mastering Windows 2000 (NT) Security   (Windows 2000 is the new name for
         Windows NT Release 5, or NT5; this class covers NT4 security as well as Windows
         2000 security) ($1195)             

                  Apl.  25-27,     2001 in Bethesda, MD (near Washington, DC)
                  Sept. 19-21,     2001 in New York City                     

RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)

• Technical support hotline, Meetings, Free Newsletter subscription, Seminar Catalogs: Stu Henderson - (301) 229-7187 5702 Newington Rd, Bethesda, MD 20816
• For Back Issues of this newsletter and Links to Several Useful Web Sites: check the Henderson Group website at the Henderson Group: www.stuhenderson.com 

RACF List Server on the Internet

To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:

subscribe racf-l john smith

to the address: listserv@listserv.uga.edu

The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.

The RACF User News is published three times a year (December, March, and September) to share information about RACF. All information in it is offered on an "as is" basis, and should be used at your own risk, and with your own testing.

For Back Issues of this Newsletter and Links to Several Useful Web Sites check the Henderson Group website at: www.stuhenderson.com

Other Internet places:

• Georgia RUG home page on the Internet http://www.mindspring.com/~ajc10/garug.html 
• IBM RACF home page: http://www.s390.ibm.com/products/racf/racfh.html 
• IBM S/390 home page, including RACF: http://www.s390.ibm.com 
• IBM RACF Goodies Site: http://www.s390.ibm.com/products/racf/goodies.html 
• IBM RACF Presentations Site: http://www.ibm.com/s390/racf/presentations.html 
• IBM FTP site, including RACF stuff: ftp.s390.ibm.com  (Log in as anonymous and issue this command to change the current directory: cd os390\racf)
• IBM Redbooks: http://www.ibm.com/redbooks 
• IBM Secureway site: http://www.ibm.com/security 
• IBMLink at: http://www.ibmlink.com 
• Other vendors contact info listed earlier under "Permanently Interesting Products"
• the Henderson Group at: http://www.stuhenderson.com 
Stuart Henderson
(301) 229-7187
5702 Newington Road Bethesda, MD 20816-1282
stu@stuhenderson.com







Copyright ©: 2001, Stuart C. Henderson
Revised - March 18, 2001
URL:www.stuhenderson.com