Advanced Mainframe Security using RACF

This course is designed, written and presented by specialist RACF consultants. It provides a detailed insight into the technical architecture of RACF and z/OS. The course describes and explains how RACF is implemented and how it can be customised using standard RACF facilities. The course also covers such topics as The IPL Process, APF Authorisation, SMF, MQ, Db2, CICS, RRSF, USS and more.

Classroom dates (High Wycombe) - click to book!

8 April 2019


On successful completion of this course you will be able to:

  • describe and explain in detail the RACF architecture, its components and facilities
  • understand the IPL process, and how RACF can be used to provide additional functionality
  • customise RACF to meet individual customer requirements
  • describe the major interactions between MQ, CICS, USS & Db2 with RACF.

Who Should Attend

The course is suitable for all systems programmers and senior RACF administrators who need to understand the technical aspects of RACF, along with the customisation opportunities available.


Attendees should have a clear understanding of RACF at both the conceptual and practical levels.


5 days

Fee (per attendee)

£2550 (ex VAT)

Course Code



RACF Overview

RACF history; z/OS SecureWay Security Server; Supported environments; Open Cryptographic Enhanced Plugin (OCEP); Lightweight Directory Access Protocol (LDAP); Distributed Computing Environment (DCE); Security Service; Firewall Technologies (FT); Network Authentication Server (NAS); How RACF works; Overview of resource access; Authorisation checking; RACF profiles; RACF commands; Logging; Auditing.

The RACF Database

Database format; Database templates; Issues; RACF initialisation; RRMIN00; Multiple database support; RACF database sharing; RACF & sysplex; Datasharing issues; RACF Remote Sharing Facility; RACF command direction; Password synchronisation; Managed user associations; Controlling RACLINK use; Controlling password synchronisation; Controlling the AT keyword; Automatic command direction; Combined RRSF command direction; Use of the ONLYAT keyword; Automatic password synchronisation; Password synchronisation by command; Combined RRSF password synchronisation; Defining RRSF nodes; The RACF subsystem & parameter library; Application identity mapping; The RVARY command; RACF FAILSOFT processing; Database backup & recovery.


RACF & JES2; JES2 resources protected by RACF; Batch user identification; Userid propagation; Surrogate Job Control; JES EARLYVERIFY; Started Task identification; SETROPTS options for JES; Network Job Entry (NJE); Remote Job Entry.

RACF & MVS Consoles & Commands

Console LOGON options; Protecting MVS/JES consoles & commands; Overview of protection; MVS command protection; JES2 command protection.

Facility Class Profiles

Definition of Facility; What uses Facility?; What have I got?; Tape controls; Security Server; IEAVECTOR; z/OS dynamic lists; Dynamic Link List; LLA - Library LookAside; Dynamic LPALST; APF List ; Dynamic exits; UNIX Systems Services; DCE; Storage dump controls; Catalog controls; Other SMS controls; Extended Remote Copy & Peer to Peer Remote Copy; DFSMSdss; DFSMSrmm; ICKDSF; Sysplex; Workload Manager.


RACF & CICS; The CICS RACF interface; The role of CICS in security control; Region-wide requirements; Interface implementation; Protected resources; CICS Inter Communication (MRO & ISC); MRO/ISC BIND-time security; MRO/ISC Link security; MRO/ISC user security; CICS resource definition; RACF & CICS SIT parameters; SIT parameters: typical configuration; Member or grouping class?; Example of member class profiles; Example of grouping class profiles; How RACF merges profiles; Who has access to STOH?; CICS & RACF callable services.

RACF Utilities

Template overview; RACF templates; Dynamic template objectives; New template support; RACF Initialization; IRRMIN00; IRRUT100 utility; IRRUT200 utility; IRRUT300 utility (BLKUPD); IRRUT400 utility; IRRADU00 utility; ICHDSM00 utility; IRRDBU00 utility; IRRRID00 utility; IRRBRW00 utility.

RACF Control Blocks

RACF control blocks; RACF Communication Vector Table (RCVT); SAF Vector Table (SAFV); Accessor Environment Element (ACEE); Where's my ACEE?; ASXBSENV; TCBSENV; Local Control Block; Which ACEE is used?; Which ACEE do I need?; Caveat ACEE; Finding the active ACEE; Security Token; ACEE versus Token.

RACF Modules

RACF control tables; Modules everywhere!; ICHRDSN; ICHRRNG; Class Descriptor Table (CDT); Dynamic CDT; Rules; POSIT values; CDTINFO options; Managing Dynamic CDTs; Migration Utility (CDT2DYN); ICHRFR01; ICHRIN03; ICHAUTAB; ICHNCV00.

RACF Macros

RACF macros; Macro interfaces; The MVS router (SAF); RACF macros: RACHECK, RACINIT, RACLIST, FRACHECK, RACDEF, RACSTAT; ICHEINTY; The RACROUTE interface; RACROUTE MF= styles; SAF parameter list (SAFP); Initialising SAFP; SAFP Setup; SAF Work Area (SAFW); SAFW setup; REQSTOR & SUBSYS; Other RACROUTE information; Return codes; REQUEST=Verify; RACINIT ENVIR= options; RACINIT ENVIR=CREATE; RACINIT STAT=; ENVIR=CREATE ACEE=; Sample user/password= ; Sample with PASSCHK=NO; Sample with Token; Create SESSION=; Create with TERMINAL=; POE=; TERMINAL= vs POE=; Sample with POE=; What about IP addresses?; RACINIT ENVIR=DELETE1; ENVIR=DELETE ACEE=; Sample DELETE; REQUEST=AUTH; CLASS=; ENTITY/ENTITYX; ENTITY(X) examples; Sample RACHECK.

RACF Exits

RACF exits; ICHRTX00/01; Pre-processing for ICHRTX00; ICHRTX00; ICHRTX00 input & ICHRTX00 output; Pre-exit commonalities; Post-exit commonalities; Pre to post communication; Work area pointer; From post to pre; 'Gotchas' for SVC exits; Finding the parameter list; Coding RACF exits; RACF command exit (IRREVX01); RACF IRREVX01 dynamic exit; Using the ACEE passed in exit; Testing your command exit; Sample SETPROG command; Dynamic exit security.

z/OS Technical Overview

z/OS controls & drivers; IPL process; Parmlib & Iplparm; LOADxx & IODF; Display IPLINFO; System parameter list IEASYSxx; z/OS storage; What is APF?; Defining an APF authorised library; Program Properties Table; Linklist; Dynamic changes; SMFPRMxx; System exits..


Defining the DB2 subsystem to RACF; Address space authorisation; Protected access profiles; RACF router table; DB2 address spaces; Permitting RACF access; Protecting DB2 data sets - profiles & Permits; Defining DB2 objects to RACF; Native DB2 security; DB2 security with RACF; RACF/DB2 external security module; Installation; Mapping DB2 authorisation checks; Scope of RACF classes; Multi-subsystem scope classes; Single subsystem scope classes; Customisation; DB2 objects and RACF classes; RACF profiles; Privileges; Administrative authorities; Insufficient authority; Migration tools; Multi-level security; Security label; Row level granularity; MLS with: SELECT, INSERT, UPDATE, DELETE, Utilities; Distributed Data Facility; Communications tables; Security actions (Client); Security actions (Server - SNA); Security actions (Server - TCP/IP).

RACF & Cryptography

Why use cryptography; ICSF - What is it?; Activating the Crypto Facility; Assigning Crypto to LPAR; Assigning Crypto Domains to LPAR; Assigning Crypto Domains to LPAR - with options; Activating ICSF for Crypto usag; Defining the CSF Control Data Sets; Defining the CSF Control Data Sets; SYS1.PARMLIB (CSFPRM00); SYS1.PROCLIB (CSF); Setup Linklist; Starting CSF; Define Domain Master Key; IDCAMS Repro - Clear Key; IDCAMS Repro - Enciphered Key.

RACF & WebSphere MQ

Non-Queue Sharing Groups; Controlling security; High Level Qualifiers; Shared Queue Manager environment; Controlling security - switch profiles; Switch profiles; Security switch options; Queue Sharing Groups - the rules; Access control; RESLEVEL profile; RESLEVEL &: Batch, CICS, IMS, Channel Initiator Connections, IGQ; Queue Manager profiles; MQ API security; MQ command security - two types; Command security - Userids; Link Level security - SSL; RACF & WebSphere MQ administration; MQ commands; Security messages; Security messages - display after refresh; Administration - RESLEVEL auditing.

RACF & UNIX Systems Services

What is 'UNIX Systems Services'?; How is it related to RACF?; UNIX identity; UNIX user definition; User definition - superuser; Superuser granularity; UNIPRIV resources names; System resource limits; Default UNIX user & group identity; Prevention of shared IDs; SEARCH enhancement to map UID & GID; Automatic UID/GID assignment; Ways of assuming another UNIX identity; set-UID & set-GID files; The su command; Controlling Daemons; Controlling servers; Auditing users & processes; UNIX auditing; The ISPF Shell; File Systems are contained in z/OS data sets; Using UNIX files; UNIX file security; File access control with Permission Bits; Making the RESTRICTED attribute applicable to UNIX files; Using the UNIX 'find' command 1; chown command - Change File Owner; chmod command - Change File Mode (permissions); Access Control Lists (ACLs); File access control with Permission Bits and ACLs; getfacl and setfacl commands; Overriding UNIXPRIV authority with ACL entries; ACL inheritance; Default file permissions and the unmask command; Programs in the file system; UNIX file auditing; chaudit command: setting file level auditing options; File system security reporting - HFS unload.

RACF & Digital Certificates

Cryptography in Internet applications; Public Key cryptography; What is a Digital Certificate?; Public Key & Certificate; Uses for certificates in Internet applications; Secure Sockets Layer (SSL); How RACF uses Digital Certificates; RACF classes & commands; RACF Certificate generation; RADCERT command; Examples of the RADCERT command; Creating a Certificate; GENCERT - examples; Key rings; Certification installation; RADCERT ADD examples; Certificate management; Miscellaneous items; Common exploiters of Certificates on z/OS; Two ways to renew a Certificate; Renew a certificate with the original key pair; Renew a certificate with a new key pair; How to share a certificate's private key in a keyring.

What the students say

Impressed with tutors knowledge. Will recommend we use RSM for future MVS training.

Systems Security Analyst

HSBC plc

© RSM Technology 2018