RACF Security - Boot Camp


This comprehensive ten-day 'Boot Camp' course provides an accelerated learning approach to the mainframe RACF security environment. The course is ideal for both Systems Programmers and Security Administrators. RACF is covered in great detail, along with its use with z/OS, DB2 and UNIX System Services.
The regular, hands-on lab exercises give students the opportunity to try out their newly-gained skills immediately. On successfully completing this boot camp, attendees will have reached the skill level needed to enable them to efficiently and effectively carry out the tasks required of a systems programmer or security administrator in a z/OS environment.
This course is available 'on demand' (minimum 2 students) for public presentations or for one-company, on-site presentations.

Objectives

On successful completion of this course you will be able to:

  • explain the need for security in business information systems
  • describe how RACF meets business information systems security needs
  • design a group structure to meet their installation's requirements
  • explain & use RACF commands
  • describe the effect of the various group profile related parameters
  • explain the management and use of the various non-RACF segments in user profiles
  • connect users to groups and manage the assigned group authorities
  • use the data set related commands to manage both discrete and generic profiles
  • manage general resources
  • use and explain the operation of the basic setropts management commands
  • use and interpret the output of the Data Security Monitor
  • use the database unload utility, cross reference utility, remove id utility, database verification utility, database split/merge/extend utility, and the database block update utility
  • run and interpret auditing reports
  • describe and explain in detail the RACF architecture, its components and facilities
  • understand and use the SETROPTS and RVARY command to manipulate the RACF options and database
  • use Advanced General Resources classes
  • define users to use TSO and SDSF
  • define the parameters needed to set up security for JES2
  • describe the facilities provided by RRSF
  • describe the B1 Security parameters including Security labels, levels and categories
  • list what facilities RACF provides for Digital Certificates
  • customise RACF to meet the requirements of their organisation and its environment
  • describe how RACF interacts with USS, DB2 for z/OS and CICS
  • describe and use all of the RACF Utilities
  • identify how the operation of RACF changes when running in a parallel sysplex
  • describe and explain the IPL process and the security issues associated with facilities such as APF, PPT, System Exits and Linklist
  • describe the components of the RACF database
  • describe the necessary requirements to implement a secure UNIX System Services environment
  • understand how to administer file access
  • list the RACF UNIX System Services General Resource Classes
  • move around the UNIX System Services environment and describe the use of shell
  • implement UNIX System Services commands
  • use file systems and ACLs
  • mount and un-mount HFS files
  • understand the use of superuser and UID(0)
  • describe DB2 security
  • understand terminology used with DB2 security
  • use and structure DB2 security tables
  • use primary, secondary, and CURRENT SQLID authorisation IDs used by DB2
  • use SQL to control security using the GRANT and REVOKE statements
  • describe the meaning of explicit, implicit, composite and grouped privileges
  • explain ownership considerations with regard to DB2 objects
  • control DB2 address space and data set authorisation using RACF
  • use RACF to control access to DB2 objects
  • describe the new RACF classes for DB2 objects
  • create RACF profiles for DB2 objects
  • understand the additional considerations when using DB2 in a distributed environment.

Who Should Attend

Systems Programmers and Security Administrators coming new to RACF.

Prerequisites

A firm grounding in the mainframe computing environment, including skills in TSO and JCL.

Duration

10 days

Fee (per attendee)

£4150 (ex VAT)

Course Code

RABC

Contents

Introduction to RACF

What is RACF?; Why do we need security?; Security in the 'old days'; Security these days; What security do we need?; Where are the dangers?; How can RACF help?; RACF profiles; How RACF operates; The RACF database; Multiple data set database; Resource classes.

z/OS Technical Overview

z/OS controls & drivers; The IPL process; PARMLIB & IPLPARM; Display IPLINFO; LOADxx & IODF; System parameter list IEASYSxx; What is APF?; Defining an APF authorised library; Program Properties Table; Linklist; Dynamic changes; SMFPRMxx; System exits; In-storage profiles; RACLIST & GENLIST; Group tree in storage; ACEE data in memory.

The RACF Database

The RACF database; Database format; Database templates; RACF templates; Issues; Dynamic template objectives; New template support; RACF initialisation; IRRMIN00; Multiple database support; RACF database sharing; The RVARY command; RVARY passwords; RACF FAILSOFT processing; Database backup & recovery.

RACF in a Sysplex

Types of Sysplex; basic Sysplex; Parallel Sysplex; RACF and Sysplex; RACF communication; RACF data sharing; RACF data sharing problems; the four Sysplex modes; the RACF database name table; Coupling Facility structures; defining Coupling Facility structures; in-storage profiles; RACLISTed profiles via RACROUTE; in-storage profiles and Sysplex; introducing RACGLIST; RACGLIST and REFRESH; using RACGLIST.

The RACF Manuals

The manual library; RACF Security Administrators' Guide; RACF features; z/OS features; Other products; Related non-RACF manuals; RACF command language reference; BookManager and Adobe pdf.

Planning for Security

The Security Policy; Resource ownership; How to protect resources?; Grouping resources and users; Document the plan.

The RACF Commands

Entering RACF commands; RACF commands and the manuals; Entering RACF commands in batch; Online Help.

Group Structure

What are Groups?; Why have Groups?; Users and Groups; The initial group structure; The Group Hierarchy; System Special and Group Special; Group Profile ownership; Group connections.

Defining RACF Groups

Group profile commands; Basic ADDGROUP; Specifying the SUPerior GROUP & OWNER; Other ADDGROUP parameters; Non-RACF segments - DFP, z/OS and zVM; Full ADDGROUP syntax; Full ALTGROUP syntax; Full LISTGRP syntax; LISTGRP output; Full DELGROUP syntax; Group command authority; SEARCH command.

Defining Users

User profile commands; Basic ADDUSER; Specifying the default group; Group authority; Class authority; RACF authorities; RACF attributes; Security levels and security categories; Security level checking; Security category checking; Security labels; Other ADDUSER parameters; Non-RACF segments; Full ADDUSER syntax; Basic ALTUSER; ALTUSER-only parameters; Full LISTUSER syntax; LISTUSER output; Full DELUSER syntax; User command authority; Basic PASSWORD; Changing other users' passwords; Full syntax of PASSWORD; Password command authority.

Connecting Users to Groups

Connect and Remove Commands; Basic CONNECT; Full CONNECT Syntax; Basic REMOVE; Full REMOVE Syntax; Connect/Remove command authority.

Dataset Profiles

Dataset profile commands; Basic ADDSD; Discrete data set profiles; Discrete profile parameters; Generic data set profiles; Generic wildcard characters - %; Generic wildcard characters - *; Generic wildcard characters - **; Specifying data set attributes; Access levels; Auditing access attempts; Profile copying; Security level & category checking; Other profile attributes; Full ADDSD syntax; Basic ALTDSD; ALTDSD-only parameters; Full ALTDSD syntax; Basic LISTDSD; Listing many data set profiles; Listing generic or discrete profiles; Specifying what to list; Full LISTDSD syntax; LISTDSD output; Full DELDSD syntax; Data set command authority; Basic PERMIT; Conditional access lists; Permitting many users access; Removing users and groups; Deleting access lists; Full PERMIT syntax; PERMIT command authority; SETROPTS REFRESH GENERIC(data set); SEARCH command basics; SEARCH control parameters; The FILTER & MASK parameters.

General Resource Profiles

General resource profile commands; Basic RDEFINE; Common RDEFINE parameters; Adding additional profile information; When the class is CONSOLE; When the class is OPERCMDS; When the class is CDT; When the class is SURROGAT; The Started Task Table; Using ICHRIN03; Using the STARTED class; When the class is TAPEVOL; Full RDEFINE syntax; Resource grouping classes; Protecting CICS transactions; Protecting load modules; Defing TSOPROC class and profiles; Defining ACCTNUM class and profiles; Defining TSOAUTH class inculding (including JCL, CONSOLE,PARMLIB and OPER) classes; Defining SDSF class; Accessing SDSF Menu; Writing to JESSPOOL; Protecting SDSF; Basic RALTER; RALTER-only parameters; Full RALTER syntax; Basic RLIST; Common RLIST parameters; Listing Non-RACF segments; Special RLIST features; Full RLIST syntax; RLIST output; Full RDELETE syntax; Remember PERMIT?; General resource command authority; The Global Access Checking table; In-storage profiles; In-storage profile parameters.

Advanced General Resources

The FACILITY Class in general;The HELPDESK function; Setting up the HELPDESK facility classes;Password Reset and List User with the Owner and Group functions;Password Enveloping;How does password enveloping work; Exceptions to Password enveloping; RACF Variables; Using the RACFVARS Class; Using RACF variables; FIELD Level access checking; Using the FIELD class;Delegating TSO Administration; Security for OMVS; Using the CFIELD class; What is a CUSTOM FIELD; RACF Command changes;Define a Custom Field; Activate a Custom Field;Putting data into a Custom Field; Authorisation for CSDATA; RACF Panel changes; RACF Profile segments; DASD volume operations; Access to DASD volumes; DASDVOL profiles; RACF security for TAPES; Tape volume protection; Tape data set protection;TAPEVOL, BLP; OPERCMDS class.

RACF Modules

RACF control tables; Modules everywhere!; ICHRDSNT; ICHRRNG; Class Descriptor Table (CDT); Dynamic CDT; Defining a Dynamic CDT; Rules; POSIT values; New segment CDTINFO; CDTINFO options; Managing Dynamic CDTs; Migration Utility (CDT2DYN); ICHRFR01; ICHRIN03; ICHAUTAB; ICHNCV00.

RACF Remote Sharing Facility

The RACF Remote Sharing Facility; RACF command direction; RACF password synchronisation; managed user associations; controlling RACLINK use; controlling password synchronisation; controlling the AT keyword; automatic RACF command direction; controlling automatic RACF command direction; combined RACF command direction; use of ONLYAT keyword; automatic password synchronisation; controlling automatic password synchronisation; password synchronisation by command; combined RACF command direction; defining RRSF nodes; the RACF subsystem & parameter library; APPC and TCP/IP connections.

RACF & JES2

RACF & JES2; JES resources protected by RACF; Batch user identification; Userid propagation; Surrogate Job Control; JES Earlyverification; Standard Task Identification; SETROPS options for JES; Network Job Entry (NJE); Remote Job Entry (RJE).

Introduction to UNIX System Services

Course agenda; What are 'Open Systems'?; z/OS USS; Benefits of USS; z/OS USS components; z/OS UNIX interfaces; HFS; SAF for z/OS UNIX; USS security with RACF.

Users & Groups

UNIX user definition; Users & Groups; User & Group Profiles; RACF User/Group profile extensions; UNIX identity; RACF commands for Users; RACF commands for Groups; System Resource limits; OMVS segment - additions; The SEARCH command; Security administration.

Superusers & UID/GID Management

User definition - superuser; BPX.SUPERUSER; Switch to superuser mode; Superuser granularity; UNIPRIV resource names; UNIPRIV class; Managing UIDs; Prevention of shared UIDs; Shared UIDs; Prevention of shared UIDs - example; Search enhancement to map UID & GID; Automatic UID/GID assignment.

Application Identity Mapping

Application Identity Mapping.

z/OS UNIX File Security

Directories & files; UNIX file security; Protecting directories & files; Access levels; The File Security Packet (FSP); Reading File Permissions; Basic - file authorisation checking; File Permission - examples; Protecting files; chmod command examples; chown command - change file owner; chmod - change file mode (permissions); Protecting files; File authorisation checking with UNIXPRIV; RESTRICTED attribute; Default file permissions & unmask; List file & directory information.

Access Control Lists (ACLs)

Access Control Lists (ACLs); Three Types of ACL; Two types of Access ACL - base; Two types of Access ACL - extended; Permission Bits & ACLs ; Authority to create ACLs; The getfacl & setfacl commands; getfacl; setfacl; Managing ACLs; getfacl - no ACLs; getfacl - display ACLs for directory; ACL examples; setfacl - change permission bits; ACL examples; ACL inheritance; Directory default ACLs; File default ACLs; getfacl - display all ACLs; UNIXPRIV & ACLs; Authorisation checking - summary; Recommendations.

Security for Daemons & Servers

UNIX level security for Daemons; RACF profiles for daemon security; Server overview; UNIX level security for servers; RACF profiles for server security; Recommendations.

Interpreting Messages

Interpreting ICH4081 messages; Interpreting BPX messages; Interpreting other messages.

RACF & Digital Certificates

Cryptography in Internet applications; Public key cryptography overview; What is a digital certificate?; Public key & certificate; Uses for certificates in applications; Secure Sockets Layer (SSL); Digital certificates and RACF; How RACF uses digital certificates; RACF classes & commands; RACF certification generation; RACDCERT command; Creating a certificate; Gencert examples; Key rings; Certification installation; RACDCERT ADD examples; Certification installation; Certificate management.

RACF with DB2

Security overview; Sign-on security; Connection security; DB2 internal security; Other options; Security strategy (Transaction Manager or DB2); Security strategy (centralised or decentralised); Using remote applications..

Internal DB2 Security

DB2 security; DB2 security mechanism; DB2 security tables; Security terms; Authorisation ID; Privilege; Resource; Primary and Secondary Authorisation IDs; Maintaining security; Data Control Language; Grouped privileges; Explicit & implicit privileges; Ownership considerations; Static and Dynamic SQL; Static SQL considerations; Dynamic SQL considerations; DB2 security disadvantages.

Data Control Language & Privileges

SQL GRANT and REVOKE statements; Cascading REVOKE; Package, plan & collection privileges; Database, table, & view privileges; Other object privileges; System privileges; DCL examples: application development, Bind, program execution; Insufficient authority.

DB2 Security Reporting and Auditing

DB2 catalog security tables; Common table columns; SYSIBM.SYSCOLAUTH; SYSIBM.SYSDBAUTH; SYSIBM.SYSPACKAUTH / SYSIBM.SYSPLANAUTH; SYSIBM.SYSRESAUTH; SYSIBM.SYSROUTINEAUTH; SYSIBM.SYSSCHEMAAUTH; SYSIBM.SYSSEQUENCEAUTH; SYSIBM.SYSTABAUTH; SYSIBM.SYSUSERAUTH; Auditing tables; Audit trace.

Defining the DB2 Subsystem to RACF

Address space authorisation; Protected access profiles; RACF router table; DB2 address spaces; Permitting RACF access; Protecting DB2 data sets - create profiles; Protecting DB2 data sets - permitting access.

Defining DB2 Objects to RACF

Native DB2 security; DB2 with RACF; RACF / DB2 external security module; Installation; Mapping DB2 authorisation checks; Scope of RACF classes; Multi-subsystem scope classes; Single subsystem scope classes; Customisation; DB2 objects and RACF classes; Profiles; Privileges - buffer pools, storage groups & tablespaces; Privileges - DB2 system; Privileges - database and schema; Privileges - tables, views, indexes and user-defined functions; Privileges - collection, plan and package; Privileges - distinct types, sequences and stored procedures; Privileges - administrative authorities; Insufficient authority; Migration tools.

Row & Column Level Access Control

Multi-level security overview; Security labels; Row level granularity; Multi-level security and SELECT; Multi-level security and INSERT; Multi-level security and UPDATE; Multi-level security and DELETE; Multi-level security and utilities; Row and column access control; row permissions; column masks.

Distributed Data Considerations

Distributed Data overview; DDF components; Communications tables; Security actions (client); Security actions (server with SNA client); Security actions (server with TCP/IP client).

RACF Utilities

RACF utilities; IRRUT100; IRRUT100 examples: output (Group), output (User); IRRUT200; IRRUT200 example JCL; IRRUT200 example output; IRRUT400; IRRUT400 example JCL; IRRADU00; IRRADU00 example JCL; ICHDSM00; ICHDSM00 example JCL; IRRDBU00; IRRDBU00 example; IRRRID00; IRRRID00 JCL; BLKUPD; IRRBRW00; IRRRID00 JCL; SMF unload utility using XML; ICETOOL; IRRICE package; The Audit Reporting tool.

Auditing RACF

Auditing RACF; Auditor parameters; RACF Report Writer; Basic RACFRW commands; Full RACFRW syntax; Full SELECT syntax; Basic EVENT command; Full EVENT syntax; Full LIST syntax; RACFRW output example; Full SUMMARY syntax; RACF SMF data Unload utility; SMF Unload utility JCL; Using the unloaded RACF SMF data; Processing the RACF SMF data with DB2; Other reporting tools; The Data Security Monitor; The System & Group Tree Reports; Program Properties & Auth Caller Table Reports; Class Descriptor Table & RACF Exits Report; Global Access Table Report; Started Procedures Table Report; Selected User Attribute Reports; Selected Data Sets Report.

Auditing UNIX System Services Security Events

What can be audited; New RACF classes; RACF commands to implement; SMF records; UNIX commands to audit file access; File Security Packet (FSP); UNIX commands to implement auditing; List file & directory information; Setting the auditing option in the FSP; Auditing the superuser; FSP reporting - HFS Unload.

SETROPTS and RVARY

Basic SETROPTS; Dataset Related parameters; General Related Parameters;InStorage Profile parameters, B1 Security parameters;JES parameters; Userid and Password parameters; AUDIT parameters; SETROPTS command authority; the RVARY command;RVARY Passwords; RACF FAILSOFT processing .

RACF Control Blocks

RACF control blocks; RACF Communications Vector Table (RCVT); Finding the RCVT; Understanding the RCVT; Data in the RCVT; RCVT vs ICB; SAF Vector Table (SAFV); Finding the SAFV; Accessor Environment Element (ACEE); Where's my ACEE?; ASXBSENV; TCBSENV; Local Control Block; Which ACEE is used?; Which ACEE do I need?; Caveat ACEE; Finding the active ACEE; Security Token; Security Token contents; Security Token uses; ACEE versus Token.

RACF Macros

RACF macros; Macro interfaces; The MVS router (SAF); RACF macros; What do they DO?; RACF macros: RACHECK, RACINIT, RACLIST, FRACHECK, RACDEF, RACSTAT; RACROUTE additions; ICHEINTY; The RACROUTE interface; RACROUTE MF= styles; SAF Parameter list (SAFP); Initialising SAFP; SAFP setup; SAF Work Area (SAFW); SAFW setup; History of REQSTOR & SUBSYS; Using REQSTOR & SUBSYS; Setting up REQSTOR and SUBSYS; Other RACROUTE information; The ACEE - AGAIN!; Return codes; REQUEST=Verify; RACINIT ENVIR= options; RACINIT ENVIR=CREATE; Who do you create?; RACINIT STAT=; ENVIR=CREATE ACEE=; Sample user/password=; Sample with PASSCHK=NO; Sample with Token; Create SESSION=; Create with TERMINAL=; POE=; TERMINAL= vs POE=; Sample with POE=; What about IP addresses?; RACINIT ENVIR=DELETE; ENVIR=DELETE ACEE=; Sample DELETE; REQUEST=AUTH; CLASS=; ENTITY/ENTITYX; ENTITY(X) examples; Sample RACHECK.

RACF Exits

RACF exits; RACF exits; RACF exits; ICHRTX00/01; Pre-processing for ICHRTX00; ICHRTX00: input, output; Pre-exit commonalities; Post-exit commonalities; Pre- to post- communication; Work area pointer; From post- to pre-; 'Gotchas' for SVC exits; Need some input; Finding the parameter list; Coding RACF exits; RACF command exit (IRREVX01); What's a 'dynamic exit'?; RACF IRREVX01 dynamic exit; What can you do in the exit?; IRREVX01 parameter list; The exit command buffer; Using the ACEE passed in exit; Testing your command exit; Sample SETPROG command; Dynamic exit security.

Question & Answer Session


© RSM Technology 2017