RACF Security - Boot Camp

What you will learn

On successful completion of this course you will be able to:

• explain the need for security in business information systems
• describe how RACF meets business information systems security needs
• design a group structure to meet their installation's requirements
• explain & use RACF commands
• describe the effect of the various group profile related parameters
• explain the management and use of the various non-RACF segments in user profiles
• connect users to groups and manage the assigned group authorities
• use the data set related commands to manage both discrete and generic profiles
• manage general resources
• use and explain the operation of the basic setropts management commands
• use and interpret the output of the Data Security Monitor
• use the database unload utility, cross reference utility, remove id utility, database verification utility, database split/merge/extend utility, and the database block update utility
• run and interpret auditing reports
• describe and explain in detail the RACF architecture, its components and facilities
• understand and use the SETROPTS and RVARY command to manipulate the RACF options and database
• use Advanced General Resources classes
• define users to use TSO and SDSF
• define the parameters needed to set up security for JES2
• describe the facilities provided by RRSF
• describe the B1 Security parameters including Security labels, levels and categories
• list what facilities RACF provides for Digital Certificates
• customise RACF to meet the requirements of their organisation and its environment
• describe how RACF interacts with USS, Db2 for z/OS and CICS
• describe and use all of the RACF Utilities
• identify how the operation of RACF changes when running in a parallel sysplex
• describe and explain the IPL process and the security issues associated with facilities such as APF, PPT, System Exits and Linklist
• describe the components of the RACF database
• describe the necessary requirements to implement a secure UNIX System Services environment
• administer file access
• list the RACF UNIX System Services General Resource Classes
• move around the UNIX System Services environment and describe the use of shell
• implement UNIX System Services commands
• use file systems and ACLs
• mount and un-mount HFS files
• understand the use of superuser and UID(0)
• describe Db2 security
• understand terminology used with Db2 security
• describe the necessary requirements to implement a secure RACF CICS environment
• describe how CICS and Db2 security work together
• describe the necessary requirements to implement a secure RACF WebSphere environment
• describe the necessary requirements to implement a RACF MQ application.

Who Should Attend

Systems Programmers and Security Administrators coming new to RACF.

Prerequisites

A firm grounding in the mainframe computing environment, including skills in TSO and JCL.

Duration

10 days

Fee (per attendee)

P.O.A.

This includes free online 24/7 access to course notes.

Hard copy course notes are available on request from rsmshop@rsm.co.uk

at £50.00 plus carriage per set.

Course Code

RABC

Contents

Introduction to RACF

What is RACF?; Why do we need security?; Security in the 'old days'; Security these days; What security do we need?; Where are the dangers?; How can RACF help?; RACF profiles; How RACF operates; The RACF database; Multiple data set database; Resource classes.

z/OS Technical Overview

z/OS controls & drivers; The IPL process; PARMLIB & IPLPARM; Display IPLINFO; LOADxx & IODF; System parameter list IEASYSxx; What is APF?; Defining an APF authorised library; Program Properties Table; Linklist; Dynamic changes; SMFPRMxx; System exits; In-storage profiles; RACLIST & GENLIST; Group tree in storage; ACEE data in memory.

The RACF Database

The RACF database; Database format; Database templates; RACF templates; Issues; Dynamic template objectives; New template support; RACF initialisation; IRRMIN00; Multiple database support; RACF database sharing; The RVARY command; RVARY passwords; RACF FAILSOFT processing; Database backup & recovery.

SETROPTS and RVARY

Basic SETROPTS; Dataset Related parameters; General Related Parameters;InStorage Profile parameters, B1 Security parameters;JES parameters; Userid and Password parameters; AUDIT parameters; SETROPTS command authority; the RVARY command;RVARY Passwords; RACF FAILSOFT processing .

RACF in a Sysplex

Types of Sysplex; basic Sysplex; Parallel Sysplex; RACF and Sysplex; RACF communication; RACF data sharing; RACF data sharing problems; the four Sysplex modes; the RACF database name table; Coupling Facility structures; defining Coupling Facility structures; in-storage profiles; RACLISTed profiles via RACROUTE; in-storage profiles and Sysplex; introducing RACGLIST; RACGLIST and REFRESH; using RACGLIST.

The RACF Manuals

The manual library; RACF Security Administrators' Guide; RACF features; z/OS features; Other products; Related non-RACF manuals; RACF command language reference; BookManager and Adobe pdf.

Planning for Security

The Security Policy; Resource ownership; How to protect resources?; Grouping resources and users; Document the plan.

The RACF Commands

Entering RACF commands; RACF commands and the manuals; Entering RACF commands in batch; Online Help.

RACF Modules

RACF control tables; Modules everywhere!; ICHRDSNT; ICHRRNG; Class Descriptor Table (CDT); Dynamic CDT; Defining a Dynamic CDT; Rules; POSIT values; New segment CDTINFO; CDTINFO options; Managing Dynamic CDTs; Migration Utility (CDT2DYN); ICHRFR01; ICHRIN03; ICHAUTAB; ICHNCV00.

Group Structure

What are Groups?; Why have Groups?; Users and Groups; The initial group structure; The Group Hierarchy; System Special and Group Special; Group Profile ownership; Group connections.

Defining RACF Groups

Group profile commands; Basic ADDGROUP; Specifying the SUPerior GROUP & OWNER; Other ADDGROUP parameters; Non-RACF segments - DFP, z/OS and zVM; Full ADDGROUP syntax; Full ALTGROUP syntax; Full LISTGRP syntax; LISTGRP output; Full DELGROUP syntax; Group command authority; SEARCH command.

Defining Users

User profile commands; Basic ADDUSER; Specifying the default group; Group authority; Class authority; RACF authorities; RACF attributes; Security levels and security categories; Security level checking; Security category checking; Security labels; Other ADDUSER parameters; Non-RACF segments; Full ADDUSER syntax; Basic ALTUSER; ALTUSER-only parameters; Full LISTUSER syntax; LISTUSER output; Full DELUSER syntax; User command authority; Basic PASSWORD; Changing other users' passwords; Full syntax of PASSWORD; Password command authority.

Connecting Users to Groups

Connect and Remove Commands; Basic CONNECT; Full CONNECT Syntax; Basic REMOVE; Full REMOVE Syntax; Connect/Remove command authority.

Defining TSO Users

TSO & RACF; The TSO segment of a user profile; TSO General Resource classes; TSO/E logon screen; TSO administration; Defining TSOPROC class and profiles; Defining ACCTNUM class and profiles; Defining TSOAUTH class (including JCL, CONSOLE,PARMLIB and OPER); When the class is CONSOLE; When the class is OPERCMDS.

Dataset Profiles

Dataset profile commands; Basic ADDSD; Discrete data set profiles; Discrete profile parameters; Generic data set profiles; Generic wildcard characters - %; Generic wildcard characters - *; Generic wildcard characters - **; Specifying data set attributes; Access levels; Auditing access attempts; Profile copying; Security level & category checking; Other profile attributes; Full ADDSD syntax; Basic ALTDSD; ALTDSD-only parameters; Full ALTDSD syntax; Basic LISTDSD; Listing many data set profiles; Listing generic or discrete profiles; Specifying what to list; Full LISTDSD syntax; LISTDSD output; Full DELDSD syntax; Data set command authority; Basic PERMIT; Conditional access lists; Permitting many users access; Removing users and groups; Deleting access lists; Full PERMIT syntax; PERMIT command authority; SETROPTS REFRESH GENERIC(data set); SEARCH command basics; SEARCH control parameters; The FILTER & MASK parameters.

General Resource Profiles

General resource profile commands; Basic RDEFINE; Common RDEFINE parameters; Adding additional profile information; Full RDEFINE syntax; The Started Task Table; Using ICHRIN03; Using the STARTED class; Resource grouping classes; Protecting CICS transactions; Protecting load modules; Basic RALTER; RALTER-only parameters; Full RALTER syntax; Basic RLIST; Common RLIST parameters; Listing Non-RACF segments; Special RLIST features; Full RLIST syntax; RLIST output; Full RDELETE syntax; Remember PERMIT?; General resource command authority; The Global Access Checking table; In-storage profiles; In-storage profile parameters.

Introduction to UNIX System Services

Course agenda; What are 'Open Systems'?; z/OS USS; Benefits of USS; z/OS USS components; z/OS UNIX interfaces; HFS; SAF for z/OS UNIX; USS security with RACF.

Users & Groups

UNIX user definition; Users & Groups; User & Group Profiles; RACF User/Group profile extensions; UNIX identity; RACF commands for Users; RACF commands for Groups; System Resource limits; OMVS segment - additions; The SEARCH command; Security administration.

Superusers & UID/GID Management

User definition - superuser; BPX.SUPERUSER; Switch to superuser mode; Superuser granularity; UNIPRIV resource names; UNIPRIV class; Managing UIDs; Prevention of shared UIDs; Shared UIDs; Prevention of shared UIDs - example; Search enhancement to map UID & GID; Automatic UID/GID assignment.

Application Identity Mapping

Application Identity Mapping.

z/OS UNIX File Security

Directories & files; UNIX file security; Protecting directories & files; Access levels; The File Security Packet (FSP); Reading File Permissions; Basic - file authorisation checking; File Permission - examples; Protecting files; chmod command examples; chown command - change file owner; chmod - change file mode (permissions); Protecting files; File authorisation checking with UNIXPRIV; RESTRICTED attribute; Default file permissions & unmask; List file & directory information.

Access Control Lists (ACLs)

Access Control Lists (ACLs); Three Types of ACL; Two types of Access ACL - base; Two types of Access ACL - extended; Permission Bits & ACLs ; Authority to create ACLs; The getfacl & setfacl commands; getfacl; setfacl; Managing ACLs; getfacl - no ACLs; getfacl - display ACLs for directory; ACL examples; setfacl - change permission bits; ACL examples; ACL inheritance; Directory default ACLs; File default ACLs; getfacl - display all ACLs; UNIXPRIV & ACLs; Authorisation checking - summary; Recommendations.

Security for Daemons & Servers

UNIX level security for Daemons; RACF profiles for daemon security; Server overview; UNIX level security for servers; RACF profiles for server security; Recommendations.

Interpreting Messages

Interpreting ICH4081 messages; Interpreting BPX messages; Interpreting other messages.

RACF & Digital Certificates

Cryptography in Internet applications; Public key cryptography overview; What is a digital certificate?; Public key & certificate; Uses for certificates in applications; Secure Sockets Layer (SSL); Digital certificates and RACF; How RACF uses digital certificates; RACF classes & commands; RACF certification generation; RACDCERT command; Creating a certificate; Gencert examples; Key rings; Certification installation; RACDCERT ADD examples; Certification installation; Certificate management.

Advanced General Resources

The FACILITY Class in general; The HELPDESK function; Setting up the HELPDESK facility classes; Password Reset and List User with the Owner and Group functions; RACF Variables; Using the RACFVARS Class; Using RACF variables; FIELD Level access checking; Using the FIELD class;Delegating TSO Administration; Security for OMVS; Using the CFIELD class; What is a CUSTOM FIELD; RACF Command changes; Define a Custom Field; Activate a Custom Field; Putting data into a Custom Field; Authorisation for CSDATA; RACF Panel changes; RACF Profile segments; OPERATIONS Attribute; DASD volume operations; Access to DASD volumes; DASDVOL profiles; RACF security for TAPES; Tape volume protection; Tape dataset protection: TAPEVOL, BLP.

RACF & JES2/SDSF

RACF & JES2; JES resources protected by RACF; Batch user identification; Userid propagation; Surrogate Job Control; JES Earlyverification; Started Task identification; SETROPTS options for JES; Network Job Entry (NJE); Remote Job Entry (RJE); z/OS security environment; Resource classes for JES security; Securing jobs with RACF; Job input processing; Job submission control; Job validation; JES job input sources; JESINPUT - controlling Port-Of-Entry device names; Job name control; TSO SUBMIT/CANCEL commands; SURROGAT class; Surrogate job submission; Job input processing: PROPCNTL & SECLABEL; Nodes class; NJE security; Controlling transmission to other nodes; Controlling receipt of jobs & sysout; Propagation through NJE; Translation between nodes; RJE/RJP signon & logon security; Controlling output destinations; Spool protection; JES dataset name format; JESPOOL class profiles; Controlling messages; Controlling data transmission; SDSF; SDSF authorised commands; SDSF line & implicit commands.

RACF Remote Sharing Facility

The RACF Remote Sharing Facility; RACF command direction; RACF password synchronisation; managed user associations; controlling RACLINK use; controlling password synchronisation; controlling the AT keyword; automatic RACF command direction; controlling automatic RACF command direction; combined RACF command direction; use of ONLYAT keyword; automatic password synchronisation; controlling automatic password synchronisation; password synchronisation by command; combined RACF command direction; defining RRSF nodes; the RACF subsystem & parameter library; APPC and TCP/IP connections; Using Digital Certificates for RRSF.

Introduction to Db2 Security

Security overview; Sign-on security; Connection security; Db2 internal security; Other options; Security strategy (Transaction Manager or Db2); Security strategy (centralised or decentralised); Using remote applications..

Defining the Db2 Subsystem to RACF

Address space authorisation; Protected access profiles; RACF router table; Db2 address spaces; Permitting RACF access; Protecting Db2 datasets - create profiles; Protecting Db2 datasets - permitting access.

Defining Db2 Objects to RACF

Native Db2 security; Db2 with RACF; RACF / Db2 external security module; Installation; Mapping Db2 authorisation checks; Scope of RACF classes; Multi-subsystem scope classes; Single subsystem scope classes; Customisation; Db2 objects and RACF classes; Profiles; Privileges - buffer pools, storage groups & tablespaces ; Privileges - Db2 system; Privileges - database and schema; Privileges - tables, views, indexes and user-defined functions; Privileges - collection, plan and package; Privileges - distinct types, sequences and stored procedures; Privileges - administrative authorities; Insufficient authority; Migration tools.

CICS Overview

The CICS family; Today's CICS; Product Identifiers; What is CICS?; Terminology; CICS tables; What is a Business Transaction?; What is a CICS task /CICS transaction?; What is a CICS program?; CICS characteristics; On-line processing; IBM CICS Transaction Server for z/OS; Workload management; Access to CICS; Accessing CICS from the Web; CICS Web Support (CWS); CICS Web Services; CICS Web Services support; The IBM client family; IBM CICS Transaction Gateway, Version 7.0; XML support; CICS organisation; Application services; Principal Domains/Management modules; CICS resource definitions; RDO overview; RDO components; The CICS System Definition File; The CICS Global Catalog; Available documentation (RACF related).

Setting up CICS RACF Security

Setting up CICS RACF security; CICS SIT parameters; SIT parameters: typical configuration; Protect the CICS region; User access from a terminal; User signon; Controlling userid propagation; PROPCNTL; Surrogat; Member or grouping class? ; Example of member class profiles; Example of grouping class profiles; How RACF merges profiles; Who has access to STOH?; Setting up CICS RACF security.

IBM MQ Security Overview

Introduction; Non-Queue Sharing Groups; Queue Sharing Groups; IBM MQ security overview.

MQ Access Control and RACF

Connection security; RESLEVEL profile; RESLEVEL & Batch; RESLEVEL and CICS; Reslevel and IMS; Reslevel and Channel Initiator connections; RESLEVEL & IGQ; MQ API security; High Level Qualifiers; MQOPEN & MQPUT1; Queues requiring additional consideration; Model queues; MQADMIN class; API security - userids; How to read UserID tables; Userids - channel security; Receiving channels using TCP/IP; Receiving channels using APPC (LU6.2); Userids - IGQ security; MQ command security - two types; Command security - Userids; Link Level security - SSL.

Overview of WebSphere for z/OS

J2EE; Application Servers; WebSphere Application Server (WAS); Application Servers connect to data or transactions; WebSphere Application Server on z/OS; Execution environment; Connecting through an HTTP server; Connecting directly to WebSphere; Configuration options; Entire configuration kept in HFS; The basic component - Application Server; Nodes - collections of servers; Deployment Manager; Node Agent; The Cell; The Daemon; Key terms; Multiple cells allowed; How do we build it?; The Administrative Console; Security.

WebSphere & J2EE Security Overview

Where do you start?; Security terminology overview; WebSphere security introduction; Confidentiality using SSL; Authentication: Local OS (SAF); Authentication: LDAP; Authentication: Custom User Registry; Authentication: Trust Association Interceptor; Authorisation to servlets and EJBs; RunAS - delegation/surrogacy; Programmatic security -servlet; Programmatic security - EJB; Java Authorization Contract for Containers (JACC); WebSphere and Tivoli Access Manager.

Understanding the RACF Jobs

High-level view of the configuration process; Output of customisation scripts; SSL networked deployment; SSL Keyring; Userids & Groups for the Base App Server; High-level view of the configuration process; Creating the Security Domain; Define Common Group & Userids; CA certificate; EJBROLES; High-level view of the configuration process; Creating the Base AppServer; Define Userids; Assigning Userids to Started Tasks; SSL in base configuration; Keyring for Servant; Keyring for Administrator Client; SSL in base configuration; Access to server; Access to controller; Access to WLM functions; High-level view of the configuration process; Creating the Development Manager; Certificate for the Development Manager; Development Manager profiles; Empty Managed Node.

RACF Utilities

RACF utilities; IRRUT100; IRRUT100 examples: output (Group), output (User); IRRUT200; IRRUT200 example JCL; IRRUT200 example output; IRRUT400; IRRUT400 example JCL; IRRADU00; IRRADU00 example JCL; ICHDSM00; ICHDSM00 example JCL; IRRDBU00; IRRDBU00 example; IRRRID00; IRRRID00 JCL; BLKUPD; IRRBRW00; IRRRID00 JCL; SMF unload utility using XML; ICETOOL; IRRICE package; The Audit Reporting tool.

Auditing RACF

Auditing RACF; Auditor parameters; RACF Report Writer; Basic RACFRW commands; Full RACFRW syntax; Full SELECT syntax; Basic EVENT command; Full EVENT syntax; Full LIST syntax; RACFRW output example; Full SUMMARY syntax; RACF SMF data Unload utility; SMF Unload utility JCL; Using the unloaded RACF SMF data; Processing the RACF SMF data with DB2; Other reporting tools; The Data Security Monitor; The System & Group Tree Reports; Program Properties & Auth Caller Table Reports; Class Descriptor Table & RACF Exits Report; Global Access Table Report; Started Procedures Table Report; Selected User Attribute Reports; Selected Data Sets Report.

Auditing UNIX System Services Security Events

What can be audited; New RACF classes; RACF commands to implement; SMF records; UNIX commands to audit file access; File Security Packet (FSP); UNIX commands to implement auditing; List file & directory information; Setting the auditing option in the FSP; Auditing the superuser; FSP reporting - HFS Unload.

RACF Control Blocks

RACF control blocks; RACF Communications Vector Table (RCVT); Finding the RCVT; Understanding the RCVT; Data in the RCVT; RCVT vs ICB; SAF Vector Table (SAFV); Finding the SAFV; Accessor Environment Element (ACEE); Where's my ACEE?; ASXBSENV; TCBSENV; Local Control Block; Which ACEE is used?; Which ACEE do I need?; Caveat ACEE; Finding the active ACEE; Security Token; Security Token contents; Security Token uses; ACEE versus Token.

RACF Macros

RACF macros; Macro interfaces; The MVS router (SAF); RACF macros; What do they DO?; RACF macros: RACHECK, RACINIT, RACLIST, FRACHECK, RACDEF, RACSTAT; RACROUTE additions; ICHEINTY; The RACROUTE interface; RACROUTE MF= styles; SAF Parameter list (SAFP); Initialising SAFP; SAFP setup; SAF Work Area (SAFW); SAFW setup; History of REQSTOR & SUBSYS; Using REQSTOR & SUBSYS; Setting up REQSTOR and SUBSYS; Other RACROUTE information; The ACEE - AGAIN!; Return codes; REQUEST=Verify; RACINIT ENVIR= options; RACINIT ENVIR=CREATE; Who do you create?; RACINIT STAT=; ENVIR=CREATE ACEE=; Sample user/password=; Sample with PASSCHK=NO; Sample with Token; Create SESSION=; Create with TERMINAL=; POE=; TERMINAL= vs POE=; Sample with POE=; What about IP addresses?; RACINIT ENVIR=DELETE; ENVIR=DELETE ACEE=; Sample DELETE; REQUEST=AUTH; CLASS=; ENTITY/ENTITYX; ENTITY(X) examples; Sample RACHECK.

RACF Exits

RACF exits; RACF exits; RACF exits; ICHRTX00/01; Pre-processing for ICHRTX00; ICHRTX00: input, output; Pre-exit commonalities; Post-exit commonalities; Pre- to post- communication; Work area pointer; From post- to pre-; 'Gotchas' for SVC exits; Need some input; Finding the parameter list; Coding RACF exits; RACF command exit (IRREVX01); What's a 'dynamic exit'?; RACF IRREVX01 dynamic exit; What can you do in the exit?; IRREVX01 parameter list; The exit command buffer; Using the ACEE passed in exit; Testing your command exit; Sample SETPROG command; Dynamic exit security.

Question & Answer Session