IBM IMS Security with RACF

1

Part 1: IMS SECURITY BASICSPart 2: SMU CONVERSIONMaida Snapper, IMS Specialist, [email protected]

Click t

o buy NOW!

PDFXCHANGE

www.docutrack.com Clic

k to buy N

OW!PDFXCHANGE

www.docutrack.com

mailto:[email protected]

http://www.docu-track.com/index.php?page=38


2

1

© Copyright IBM Corporation [current year]. All rights reserved.U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Corp.

THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSESONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THEINFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS” WITHOUT WARRANTY OFANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENTPRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBMSHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISERELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THISPRESENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING ANY WARRANTIES ORREPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS ANDCONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCTS AND/ORSOFTWARE.

IBM, the IBM logo, ibm.com, DB2, CICS, RACF and IMS are trademarks or registered trademarks of International BusinessMachines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are markedon their first occurrence in this information with a trademark symbol (® or ™ ), these symbols indicate U.S. registered orcommon law trademarks owned by IBM at the time this information was published. Such trademarks may also be registeredor common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright andtrademark information” at www.ibm.com/legal/copytrade.shtml

Other company, product, or service names may be trademarks or service marks of others.

Disclaimer

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com

http://www.ibm.com/legal/copytrade.shtml



3

2

Click to edit Master title style

PART 1: SECURITY BASICS

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



4

3

Develop an IMS Security Strategy

§ Which IMS resources need protection

§ What protection do they need

§ Who can access them

§ What security facilities will be used

Ø There is often more than one way to protect a givenresource.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



5

4

Which Resources Need Protection§ IMS application (CTL, DL/I, etc)

§ Transactions

§ Commands

§ Terminals

§ PSBs

§ Datasets

§ Databases (records, fields, segments)

§ Dependent regions and connection threads

§ Coupling Facility structures

§ IMSPlex

§ XCF group

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



6

5

Security Facilities

§ IMS default security

§ Program Specification Block (PSB)

§ Encryption

§ VSAM password protection

§ Applicationbased security

§ Physical security

§ RACF (or other SAF product)

§ Exits

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



7

6

Security Facilities –IMS Default Security

IMS default security

§ Exits


§ Encryption





Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



8

7

Security Facilities IMS Default Security§ Limits commands from sources other than IMS Master and TCO

§ Applies only to IMS type1 commands

§ Is based on command source of entry

§ Is what you get when you do not specify a command security option forcommands entered from that source

§ Is not optionalcan only be deactivated by specifying command security forcommands entered from that source

IMS V10 Command Reference Volume 1

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



9

8

Security Facilities –IMS Default SecurityCommands allowed by default when static or ETO terminal is the source of entry:

/BROADCAST/CANCEL/DIAGNOSE/END/EXCLUSIVE/EXIT/FORMAT/HOLD/IAM/LOCK/LOG

/LOOPTEST/RCLDST/RCOMPT/RDISPLAY/RELEASE/RESET/RMLIST/SET/SIGN/TEST/UNLOCK

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



10

9

Security Facilities –IMS Default SecurityCommands allowed by default when OTMA is the source of command entry:

/LOCK/LOG/RDISPLAY

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



11

10

Security Facilities –IMS Default SecurityCommands allowed by default when LU6.2 is the source of command entry:

/BROADCAST/LOCK/LOG/RDISPLAY/RMLIST

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



12

11

Security Facilities IMS Default Security

EXAMPLE

RCF=AAPPCSE=N

RDEF CIMS DIS UACC(READ)

Result:

/DIS from 3270type terminals is accepted/DIS from LU6.2 over APPC is a security violation

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



13

12

Security Facilities –PSB


§ Exits

Program Specification Block (PSB)

§ Encryption





Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



14

13

Security Facilities –PSB§ PSB (Program Specification Block) provides database security

– Data sensitivity (SENSEG, SENFLD) describes application view ofdatabase

– Processing options (PROCOPT) define what application can do (e.g. reador update)

§ PSB should be coded to facilitate security requirements– Define only the segments and fields needed– Use only the processing option needed

§ PSB is a trusted resource– IMS makes no security calls for hard coded resources in a PSB– A user authorized to submit a transaction using the PSB is also authorized

to submit a transaction to a destination hard coded in the alternate PCB.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



15

14

Security Facilities Encryption


§ Exits


Encryption





Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



16

15

Security Facilities –Encryption

Database encryption may be performed by

§ zSeries and S/390 Crypto Hardware features

§ z/OS Cryptographic ServicesIntegrated Cryptographic Service Facility (ICSF), a component of

z/OS Cryptographic Services, is the software interface to thecrypto hardware

§ Segment Edit/Compression Exit Routine (DFSCMPX0)– can invoke user supplied encryption routine– can call ICSF or other product– can invoke IBM Data Encryption for IMS and DB2 Databases

tool (5655P03)– can be different for each segment

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



17

16

Encryption

Data Encryption for DB2 and IMS Databases tool:

§ requires the IBM optional Crypto Express2 (CEX2) hardwarefeature

§ requires ICSF, the software interface to the crypto hardware

§ requires the standard CP Assist for Crypto Function (CPACF) beenabled and active if the clear key exit is used

§ is recommended over roll your own solutions as extensive testinghas been done to ensure the product works with all the productinterfaces

§ requires no changes to applications, just a change toDBD to define the exit routine

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



18

17

Security Facilities –Encryption

NAME

ADDRESS PAYROLL

Sample PAYROLL Database

SEGM … ,COMPRTN=(routinename,DATA,INIT,MAX)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



19

18

Security Facilities –EncryptionSample DBD For Payroll Database

DBD NAME=PAYROLDB,ACCESS=HISAMDATASET DD1=PAYROLL,OVFLW=PAYROLOV,

SEGM NAME=NAME,BYTES=150,FREQ=1000,PARENT=0FIELD NAME=(EMPLOYEE,SEQ,U),BYTES=60,START=1,TYPE=CFIELD NAME=MANNBR,BYTES=15,START=61,TYPE=CFIELD NAME=ADDR,BYTES=75,START=76,TYPE=C

SEGM NAME=ADDRESS,BYTES=200,FREQ=2,PARENT=NAMEFIELD NAME=HOMEADDR,BYTES=100,START=1,TYPE=CFIELD NAME=COMAILOC,BYTES=100,START=101,TYPE=C

SEGM NAME=PAYROLL,BYTES=100,FREQ=1,PARENT=NAME,COMPRTN=(DFSCMPX0,DATA,INIT,MAX)FIELD NAME=HOURS,BYTES=15,START=51,TYPE=PFIELD NAME=BASICPAY,BYTES=15,START=1,TYPE=P

DBDGENFINISHEND

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



20

19

Security Facilities –VSAM Password Protection


§ Exits


§ Encryption

VSAM password protection




Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



21

20

Security Facilities VSAM Password Protection

VSAM password protection for IMS databases in batchenvironments

§ prevents accidental access of IMS databases by nonIMSprograms

§ used in conjunction with VSAM CONTROLPW specificationon VSAM DEFINE statements

§ specify PASSWD=YES/NO on DBD

§ ignored in IMS Online (DB/DC) environment

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



22

21


PASSWD=NO on DBD statement

§ is the default

§ specifies that the DBDNAME for this DBD should notbe used as the VSAM password

§ in IMS Batch, causes operator to be prompted forpassword each time data set opened

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



23

22


PASSWD=YES on DBD statement

§ DL/I open uses DBDNAME as the VSAM password for eachdataset

§ all datasets for the DBD must use same password

§ CONTROLPW or MASTERPW password on VSAM DEFINE mustbe the same as DBDNAME for the DBD

§ invalid for ACCESS=LOGICAL, MSDB, DEDB

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



24

23

Security Facilities –Applicationbased security


§ Exits


§ Encryption


Applicationbased security

– Physical security

– RACF (or other SAF product)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



25

24

Security Facilities Applicationbased security

§ Application program can perform its own security checks

§ Security rules could be stored in– Internal table in program– Database– RACF

Application program can access RACF info with DL/I AUTH call• Database• Field• Segment• Other

§ Application program grants or denies resource access based onUSERID of the user who entered the transaction

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



26

25

Security Facilities –Physical Security


§ Exits


§ Encryption



Physical security


Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



27

26

Security Facilities –Physical Security

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



28

27

Security Facilities RACF


§ Exits


§ Encryption




RACF (or other SAF product)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



29

28

Setting Up RACF

§ Create Resource Class descriptions in Class Descriptor Table (CDT)e.g. TIMS, CIMS, or installation defined

§ Make sure IMS Resource Classes are activated in RACF

§ Populate the RACF database

– Create group & user profiles• Define groups• Define users• Connect users to groups

– Create resource profilesDefine a profile in the appropriate class for each resource to be secured

– Create access listsPermit groups | users to access resource

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



30

29

RACF Resource Class

§ Collection of profiles with similar characteristics

§ Defined in Class Descriptor Table (CDT)– Can be defined dynamically– Maximum 1024

§ Two types of resource classes– Member class

example, CIMS: one profile protects one command– Grouping class

example, DIMS: one profile protects several commands

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



31

30

RACF Resource Class

Example of some resource classes delivered with RACF:

TIMS CIMS IIMS LIMS

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



32

31

RACF Resource Class

RACF default resource classes used exclusively by IMS(RCLASS=IMS)

CIMS | DIMS Commands (first 3 characters of command)TIMS | GIMS Transactions (trancode)IIMS | JIMS Program Specification Blocks (PSBs)LIMS | MIMS Logical terminals (LTERM)AIMS APSB (Allocate PSB) for CPICPSB and ODBARIMS asynch hold queues for RESUME TPIPE callFIMS | HIMS Database fields (for AUTH calls)SIMS | UIMS Database segments (for AUTH calls)IIMS | WIMS Other (information in RACF for AUTH calls)PIMS | QIMS Databases (for AUTH call)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



33

32

RACF Resource Class

RACF resource classes not exclusive to IMS

TERMINAL | GTERMINLAPPLVTAMAPPLAPPCPORTAPPCLUAPPCTPDATASETFACILITYOPERCMDSSTARTED

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



34

33

RACF Resource Class

Example of some installationdefined resource classes whenRCLASS=IMSTEST:

TIMSTEST CIMSTEST IIMSTEST LIMSTEST

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



35

34

RACF Resource Class§ RCLASS specification in IMS = 17 alphanumerics

– define on SECURITY macro– override in DFSDCxxx– default = IMS

§ Different RCLASS can be used to define different RACF rules for different IMSsystems sharing one RACF database– example 1: RCLASS=IMSTEST– example 2: RCLASS=imsid

§ Define each new resource class in Class Descriptor Table (CDT)

§ Activate resource classes in RACFSETR CLASSACT(classname)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



36

35

RACF Resource Class

§ Class Descriptor Table (CDT)– entries can be defined statically (IPL) or dynamically (no IPL)– maximum 1024 entries

• 256 defined by IBM• 768 can be installationdefined

– loaded at IPL by merging static, then dynamic class descriptors– dynamic entry will replace static of the same name– if merge reaches 1024, RACF warns entries are being ignored– CDT processes a paired member and grouping class together.

§ Updating the RACF Router Table for new resource classes not required

§ Supplied CDT entries are documented in Appendix C of the z/OSSecurity Server RACF Macros and Interfaces

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



37

36

Populate the RACF Database

Consists of profiles

§ Group profileDefines group name, group authority, subgroup, ...

§ User profileDefines individual user ID, password, user attributes, connect

groups, ...

§ Resource profileDefines security requirements for a resource

– Defines Universal Access– Defines authorized users/groups (access list)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



38

37

RACF GROUP and USER Profiles

Example of defining group and user profiles(Not all required parameters shown here)

ADDGROUP IMSGRP4 … .ADDGROUP DBAGRP… .

ADDUSER IMSUS99 NAME(BILL) PASSWORD(IMSPW99) DFLTGRP(IMSGRP4) …

CONNECT IMSUS99 GROUP(IMSGRP4) … .

CONNECT IMSUS99 GROUP(DBAGRP) … .

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



39

38

RACF GROUP and USER Profiles

§ When IMS resources are protected by RACF– IMS needs a user ID– DLI/SAS needs a user ID– Dependent region may need a user ID

§ The user IDs are needed for– Access to system resources and data sets

For example, System dump data set– Access to IMS protected data sets

For example, IMS RECON or RESLIB– Access to IMS resources as the default user ID

§ User IDs can be created using RACF STARTED class

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



40

39

RACF Resource Profiles

§ Discrete profile– protects a singular resource– fully qualified profile name

§ Generic profile– protects one or more resources of the same type– profile contains generic (wildcard) characters– SETR GENERIC(classname) to enable generics

§ Fullyqualified generic profile– used only by the DATASET resource class– used to retain profile when dataset deleted

if multiple profiles exist for a resource, RACF uses the most specific

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



41

40


Define a RACF resource profileRDEFINE | RDEF

classname profilename UACC(accessauthority)

§ classname is the RACF resource class§ profilename is the IMS resource name§ UACC is the universal access authorityExamples:RDEFINE TIMS IMSTRANA UACC(READ)RDEFINE TIMS IMSTRAN* UACC(NONE)RDEFINE CIMS DIS UACC(READ)RDEFINE DIMS DBACMDS UACC(NONE) ADDMEM(STO,STA,DBR)

§ z/OS Security Server RACF Command Language Reference Appendix A. NamingConsiderations for Resource Profiles.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



42

41


RDEFINE CIMSDISUACC(READ)

RDEFINE DIMSDBACMDSADDMEM(STO,STA,DIS)UACC(NONE)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



43

42


IMSXCF.groupname.membernameFACILITYXCF grp (Client bid)dataset nameDATASETDataset

CSL.imsplexnameFACILITYIMSPlex (CSL)imsidAPPLIMS Control Region

CQSSTR.structure_name orIXLSTR.structure_name

FACILITYCF structures

IMS.plxname.command_verb.command_keywordOPERCMDSOM commandsafhlq.command_verb.qualifier.modifierFACILITYDBRC commandlterm nameLIMS / MIMSLTERMpsb nameIIMS / JIMSPSBfirst 3 characters of commandCIMS / DIMSCommand (type 1)transaction nameTIMS / GIMSTransaction

RACFmember class profile name

RACFclass name

IMS resource

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



44

43


Universal Access Authority (UACC)§ Can be any one of the following

NONE, READ, EXECUTE, UPDATE, CONTROL, ALTER

§ READ is required for most IMS resources

§ UPDATE is required for– Some Type 2 commands– CQS access to CF structures (SMQ and RM)– Registering with SCI to join an IMSplex

§ CONTROL is required for– VSAM datasets open for update– IMSV10 gives option to open RECON for READ

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



45

44

RACF Access ListsAdd an access list to a resource profilePERMIT | PE

profilenameCLASS(classname)ID(userid(s) and/or groupname(s))ACCESS(accessauthority)

Examples:

PERMIT IMSTRAN* CLASS(TIMS) ID(GROUPA JOE) ACCESS(READ)

PERMIT STO CLASS(CIMS) ID(NANCY DBAGRP) ACCESS(READ)WHEN(TERMINAL(terminalid ...))

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



46

45

RACF Access Lists

§ User or Group Access Authority (ACCESS) can be:– NONE– READ– EXECUTE– UPDATE– CONTROL (for VSAM)– ALTER

§ Maximum entries in the access list of a profile is 5957– access list of each profile is limited to 65535 bytes– each user or group in the access list uses 11 bytes

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



47

46

RACF Access Lists

§ Associated with resource profiles

§ Define access authorities of GROUPs and USERs

NONEIMSADMINREADNONEREAD

GROUPYSTILWELLCM431GP

CIMSDIS

UACCProfile OwnerAccess LevelGroup orUserid

ResourceClass

Resource

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



48

47

Making RACF Security Changes Online

§ To update RACF security definition– update the RACF database– refresh the RACF data space from the database by issuing

SETROPTS RACLIST(classname) REFRESH

§ RACF refreshes all classes with the same CDT POSIT value asclassname

§ specify the member classname not the grouping classnamefor example, specify CIMS not DIMS

§ REFRESH must be entered on all members of a SYSPLEX unlessRACF is configured for SYSPLEX communication

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



49

48

How IMS Talks to SAF

§ When IMS initializes– IMS calls RACF to load IMS resource profiles into a data space (RACLIST)

RACROUTE REQUEST=LIST,GLOBAL=YES– DATASET, Group and User profiles are not eligible for data space– RACF builds ACEE for IMS user ID

§ When a user signs on to IMS– IMS calls RACF for sign on verification

RACROUTE REQUEST=VERIFY,ENVIR=CREATE,ACEE=addr… ..– IMS passes USERID,GROUP,PASSWRD,TERMID,APPL– RACF verifies user ID, password, TERMINAL, APPL– RACF builds ACEE– RACF returns ACEE address and return code to IMS

z/OS Security Server RACF RACROUTE Macro Reference

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



50

49


§ When a user accesses a resource– IMS calls RACF to check authorization

RACROUTE REQUEST=FASTAUTHIMS passes ACEE,CLASS,ENTITY,ATTRExample: RACROUTE REQUEST=FASTAUTH,

ACEE=addr,CLASS=CIMS,ENTITY=DIS,ATTR=READ– RACF sends return code to IMS

• 0 user is authorized• 4 resource has no profile• 8 user is not authorized

– IMS grants access if 0 or 4– If return code 8, IMS calls RACF for audit logging

RACROUTE REQUEST=AUTH with parameters similar to FASTAUTH– RACF checks authorization and logs violation messages

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



51

50


§ When a user signs off– IMS calls RACF to delete the user’s ACEE

RACROUTE REQUEST=VERIFY,ENVIR=DELETE,ACEE=addr…– RACF deletes user’s ACEE

§ When IMS terminates– IMS calls RACF to deregister interest in the resource classes

RACROUTE REQUEST=VERIFY,ENVIR=DELETE,ACEE=addr… ..– RACF deletes the ACEE for IMS user ID– GLOBAL=YES data spaces are not deleted

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



52

51


Accessor Environment Element (ACEE)§ Constructed by RACF when user signs on§ Deleted when user signs off§ Contains a description of the user’s security environment

–User ID–Current connect group–User attributes–Group authorities

ACEE documented in z/OS IBM Security Server RACF Data Areas

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



53

52

Summary of RACF Commands§ Adding profiles:

– ADDUSER add user profile (AU)– ADDGRP add group profile (AG)– ADDSD add dataset profile (AD)– CONNECT to associate USER with GROUP– RDEFINE define profile for general resource class (RDEF)– RALTER to make changes to profile

§ Creating access lists to allow access to resources– PERMIT define resource access list (PE)

§ Set RACF options: SETROPTS (SETR)– CLASSACT –activate the resource class– RACLIST –populate the dataspace– GENERIC –allow generic resource checking– REFRESH –refresh the dataspace

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



54

53

RACF in WARNING Mode for Migration

To ease migration

§ you can specify WARNING in the resource profile definition (RDEF)

§ in WARNING mode you can audit access attempts:– RACF records each access attempt– if user not authorized, RACF allows access and sends ICH408I– if notify user is specified in resource profile, RACF also sends

warning message to the user

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



55

54

Security Facilities Exits


Exits


§ Encryption





Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



56

55

Security Facilities –Exits§ Sign on/off verification

– DFSCSGN0– DFSSGNX0– DFSSGFX0

§ Transaction authorization– DFSCTRN0– DFSCTSE0 (reverify)– DFSBSEX0 (build security env)

IMS V10 Exit Routine Reference

§ Command authorization– DFSCCMD0– DSPDCAX0 (DBRC)– OM user exits

§ RAS (dependent region/thread)– DFSRAS00

§ Other– OTMA exits– DFSTCNT0 (TCO)– DFSCMPX0 (encryption)– DFSFLGE0 (log edit)– KBLA scrub

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



57

56

Security Facilities –Exits§ DFSCTRN0 is generally not invoked unless RACF return code is 0 or 4

§ DFSCTSE0 (reverification entry point of DFSCTRN0) is always invokedfor CHNG, AUTH calls no matter what the RACF return code is.

§ When DFSCCMD0 cannot be explicitly requested (e.g. APPCSE), it isinvoked if it exists no matter what the RACF return code is

§ DFSBSEX0 was offered to improve performance; allows you to control ifand when a security environment is dynamically built in cases where itdoes not exist (“back end”IMS, or user has signed off, for example)

§ Exits can be used to do more granular checking than RACF may offer

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



58

57

How to Specify the Security Facility You Want

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



59

58

Tell IMS What Security To Use

§ IMSGEN macros– (COMM)– (IMSGEN)– SECURITY– LINE– TERMINAL– TRANSACT– TYPE

§ Override IMSGEN macros with– IMS execution parameters in JCL or PROCLIB

§ Override JCL or PROCLIB with– IMS commands

• /NRE and /ERE• /SECURE• /SET

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



60

59

Security Macro IMS V9IMS V9 SECURITY macro specifies security options for IMS resources

– SMU security options– Other nonSMU security options, such as RACF and/or exit routine

options

TYPE=

SECLVL=

RCLASS=

3210SECCNT=

FORCEYESNOTRANCMD=

FORCEYESNOTERMNL=

FORCEYESNOPASSWD=

SECURITY

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



61

60

Security Macro IMS V10IMS V10 SECURITY macro specifies RACF and/or EXIT security options

TYPE=

SECLVL=

RCLASS=

3210SECCNT=

FORCEYESNOTRANCMD=

SECURITY

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



62

61

Security Macro

§ SECLVL= transaction authorization / signonverification

§ TYPE= RACF and/or EXITSchoose one from each column

NORAS NORACTRM NOTRANEX NOSIGNEX NORACFCMRASRACF RACFTERM TRANEXIT SIGNEXIT RACFCOMRASEXITRAS

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



63

62

IMS DB/DC Security Options

DFSPBxxx

These override SECURITY macro

TRN = Transaction authorization optionSGN = Sign on authorization optionISIS = Resource Access securityRCF = RACF security option(s)AOI1 = TRANCMD security option (TYPE 1 AOI)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



64

63

Sign On Verification (SGN) DFSPBxxx

SGN= overrides and augments SECURITY macro SECLVL

§ N specifies that the signon verification function is not in effect

§ Y specifies that the signon verification function is to be activated

§ F same as Y except the MTO cannot negate the activation of the signonverification function.

§ M single userid can sign on to multiple terminals (does not activate signonverification)

§ Z = Y + M

§ G = F + M

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



65

64

Transaction Authorization (TRN) DFSPBxxx

TRN= overrides SECURITY macro SECLVL§ N

Transaction authorization is inactive for this execution of IMS.Can be activated on /NRE or /ERE COLDSYS

§ YTransaction authorization is active for this execution of IMS

Can be deactivated on /NRE or /ERE COLDSYS§ F

Same as YCannot be deactivated on /NRE or /ERE COLDSYS

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



66

65

RACF Authorization (RCF) DFSPBxxx

RCF= overrides and augments SECURITY macro TYPE

§ N do not call RACF for signon verification, transaction or commandauthorization for input from static or ETO terminals

§ C call RACF to authorize commands entered from ETO terminals

§ S call RACF to authorize commands entered from both static and ETO terminals

§ T call RACF for signon verification and transaction authorization

§ Y call RACF for sign on verification, transaction authorization and commandauthorization for commands entered from ETO devices

§ A call RACF for sign on verification, transaction authorization and commandauthorization for commands entered from both static and ETO devices

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



67

66

More IMS DB/DC Security Options

DFSPBxxx

These have no equivalent on SECURITY macro

AOIS = ICMD security option (TYPE 2 AOI)CMDMCS = MCS/EMCS command optionODBASE = ODBA security optionAPPCSE = APPC security optionOTMASE = OTMA security optionTCORACF = TCO RACF command authorization security optionRVFY = RACF reverify optionRCFTCB = Number of RACF TCBsALOT = automatic logoff for ETOASOT = automatic signoff for ETO

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



68

67

IMS DC Security Options

DFSDCxxx–These override SECURITY macro

•RCLASS 17 char suffix for RACF IMS resource classes

–These have no equivalent on SECURITY macro•BMPUSID•MSCSEC•LOCKSEC•SIGNON•SAPPLID

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



69

68

Operations Manager Security Options

§ CSLOIxx (Operations Manager PROCLIB)

CMDSEC = security option for all commands routedthrough Operations Manager (OM)

§ DFSCGxxx (IMS PROCLIB)

CMDSEC = security option for Type 1 commands routedthrough Operations Manager (OM)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



70

69

IMS Securityrelated Log Records§ Type X'10'

–Security violation has occurred§ Type X'16'

–Written at /SIGN ON and /SIGN OFF–Contains

•Physical terminal identifier•Userid•IMS time stamp

§Contain userid for signed on user–Types X'01' and x'5901' input message–Types X'03' and x'5903' output message–Types X'50', X'51', X'52' and X'5950' database change records

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



71

70

Putting It All Together

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



72

71

Factors Affecting SecurityThe security in force is determined by ...§ IMS system definition§ IMS JCL overrides§ IMS PROCLIB overrides

– DFSPBxxx– DFSDCxxx– CSLOIxxx– DFSCGxxx

§ IMS commands and restart options– Example: /SECURE APPC FULL– Example: /NRE TRANAUTH

§ Whether IMS was warm started or cold started§ Source of the input message§ RACF definitions§ Exits

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



73

72

Protecting IMS Resources§ IMS application (CTL, DL/I, etc)

§ Transactions

§ Commands

§ Terminals

§ PSBs

§ Datasets

§ Databases (records, fields, segments)

§ Dependent regions and connection threads

§ Coupling Facility structures

§ IMSPlex

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



74

73

Protecting IMS Resources

SOME EXAMPLES USING RACF

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



75

74

Protecting the IMS Control Region

Example:SETROPTS CLASSACT(APPL)

RDEFINE APPL (IMSP,IMST) UACC(NONE)

PERMIT IMSP CLASS(APPL) ID(GROUP1,GROUP2) ACCESS(READ)PERMIT IMST CLASS(APPL) ID(GROUPA,GROUPB) ACCESS(READ)PERMIT IMSP CLASS(APPL) ID(BILL) ACCESS(READ)

WHEN(TERMINAL(NODE1,NODE2))

If RAS security is activated (ISIS=R):PERMIT IMSP CLASS(APPL) ID(IMSMPR1,IMSBMP1) ACCESS(READ)

SETR RACLIST(APPL) REFRESH

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



76

75

Protecting DBRC CommandsExample:

CHANGE.RECON CMDAUTH(SAF,PROD)

RDEFINE FACILITY PROD.GENJCL.RECOV.AAA UACC(NONE)PERMIT PROD.GENJCL.RECOV.AAA CLASS(FACILITY) ID(JOE)

ACCESS(READ)

RDEFINE FACILITY PROD.GENJCL.RECOV.* UACC(NONE)PERMIT PROD.GENJCL.RECOV.* CLASS(FACILITY) ID(BILL) ACCESS(READ)

Complete list of resource names can be found inIMS V10 System Administration Guide Table 28IMS V9 DBRC Guide and Reference Appendix C

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



77

76

Protecting OM CommandsCMDSEC=R

RDEFINE OPERCMDS IMS.CSLPLX0.UPD.TRAN UACC(NONE)PERMIT IMS.CSLPLX0.UPD.TRAN CLASS(OPERCMDS)

ID(LONNIE) ACCESS(UPDATE)

RDEFINE OPERCMDS IMS.CSLPLX0.STO.DB UACC(NONE)PERMIT IMS.CSLPLX0.STO.DB CLASS(OPERCMDS)

ID(ALAN) ACCESS(UPDATE)

RDEFINE OPERCMDS IMS.CSLPLX1.UPD.TRAN UACC(NONE)RDEFINE OPERCMDS IMS.*.QRY.* UACC(NONE)PERMIT IMS.*.QRY.* CLASS(OPERCMDS) ID(KENNY) ACCESS(READ)

Complete list of resource names can be found inIMS V10 IMSPLEX Administration Guide Table 8IMS V9 Command Reference Appendix I Resource Names Table

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



78

77

Protecting CF Structures

RDEF FACILITY CQSSTR.IMSP_MSGQ1 UACC(NONE)PE CQSSTR.IMSP_MSGQ1 CLASS(FACILITY) ID(IMSP) ACCESS(UPDATE)

RDEFINE FACILITY IXLSTR.IMSP_MSGQ1 UACC(NONE)PERMIT IXLSTR.IMSP_MSGQ1 CLASS(FACILITY) ID(IMSP) ACCESS(UPDATE)

RDEFINE FACILITY IXLSTR.IMSP_IMSIRLM UACC(NONE)PERMIT IXLSTR.IMSP_IMSIRLM CLASS(FACILITY) ID(IRLMP) ACCESS(UPDATE)

SETROPTS CLASSACT(FACILITY)SETROPTS RACLIST(FACILITY) REFRESH

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



79

78

Protecting IMSPlexADDGROUP PLX0GRP ...ADDUSER OM1USER ... DFLTGRP(PLX0GRP)ADDUSER RM1USER ... DFLTGRP(PLX0GRP)ADDUSER CQS1USER ... DFLTGRP(PLX0GRP)ADDUSER IMS1USER ... DFLTGRP(PLX0GRP)ADDUSER ... (other address spaces needing access to SCI)

RDEF STARTED OM1 STDATA(USER(OM1USER) GROUP(PLX0GRP) ...RDEF STARTED RM1 STDATA(USER(RM1USER) GROUP(PLX0GRP) ...RDEF ... (for each started task)RDEFINE FACILITY CSL.CSLPLX0 UACC(NONE)

PERMIT CSL.CSLPLX0 CLASS(FACILITY) ID(PLX0GRP) ACCESS(UPDATE)

SETROPTS CLASSACT(FACILITY)SETROPTS RACLIST(FACILITY)REFRESH

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



80

79

Protecting IMS Data Sets

§ ADDSD(’IMSPROD.RESLIB’,’IMSPROD.PROCLIB’,’IMSPROD.ACBLIB’)UACC(NONE) AUDIT(ALL) OWNER(IMSADMIN)

§ PERMIT ’IMSPROD.RESLIB’ ID(IMSP,MARY,TESTGRP)ACCESS(READ)

§ PERMIT ’IMSPROD.RESLIB’ ID(SYSPROG,HENRY)ACCESS(UPDATE)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



81

80


PART 2: SMU CONVERSION

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



82

81

SMU Migration

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



83

Page 82

IBM Software Group

SMU to RACF Security

IMS V10 SMU Support Removed§ IMS V10 removes SMU and SMU components

–The Security Maintenance Utility–Application Group Name Exit Routine (DFSISIS0)–IMS.MATRIXx data sets

§ Primary consideration

–If migration from SMU to SAF/RACF has not already been done, migrationto IMS V10 will also need to include migration from SMU to SAF/RACF

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



84

Page 83

IBM Software Group


IMS V10 SMU Removal§ Any SMU parameters in System Generation macros will be

ignored– COMM, IMSGEN, SECURITY macros

§ Utilities– SMU Utility no longer supported– Online Change Utility ignores MATRIX dataset DD cards

§ Execution parameterse.g. AGN, ISIS, AOI1, MSCSEC, SGN, etc– Ignored if request SMU– Some parameters are no longer documented, but are ignored when

specified– Defaults changed where previous default was SMU

§ Commands that “require” SMU are rejected– e.g. /CHANGE PASSWORD

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



85

Page 84

IBM Software Group


SMU Compared with RACF Security (Before IMS V10)

§ The basic command and transaction security is available witheither SMU or RACF

– SMU authorizes the LTERM to use a transaction/command– RACF authorizes the USERID to use a transaction/command

§ SMU keeps its security definitions in a matrix– Who can do what– What can be done by whom

§ RACF keeps security definitions in user profiles which describeallowed access to defined resources

– Resources defined in RACF Resource Classes –for example:•Transactions –TIMS class (or groups of transactions in GIMS class)•Commands CIMS class (or groups of commands in DIMS class)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



86

Page 85

IBM Software Group


RACF Security Before IMS Version 9Most IMS security could be implemented with RACF

§ SignOn user validation andverification– Check user is known– Check password is correct

§ Terminal Security– User v. physical terminal

§ IMS System Access Security– User v. IMS ID

§ Transaction Security– User v. Trancode

§ Command Security– User v. IMS Command in Control

Region– User v. IMS Command in

Operations Manager

§ AOI Type2 ICMD Call Security– User v. IMS Command

§ IMS Data Set Access Security– Controls access to DBs and

system datasets§ DB Data Access Security –used

with DL/1 AUTH call– User v. DB Record– User v. Segment– User v. Field

§ PSB Access Security For ODBAand CPIC– User v. PSBname

§ Connection Access Control– IMS Connect, CQS, CSL address

spaces, etc

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



87

Page 86

IBM Software Group


IMS V9Last release tosupport SMU

Security Enhancements in IMS V9/V10

§ Version 9 introduced enhancements toIMS and the RACF interface to support theseremaining functions that required SMU in IMS V8:1. Application Group Name (AGN) security2. Type 1 Automated Operator Interface (AOI)3. Terminal security for TimeControlled Operations (TCO)4. MSC linkreceive security for nondirected routing5. /LOCK, /UNLOCK and /SET commands with passwords6. Static terminal Signon

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



88

Page 87

IBM Software Group


Resource Access SecurityResource Access Security

(Replaces AGN Security)(Replaces AGN Security)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



89

Page 88

IBM Software Group


Resource Access Security with SMU

§ Uses Application Group Name (AGN) security– IMS Version 9 was the last release to support AGN security

§ Objectives of AGN Security

– Check at Program Scheduling Time that the resources involved(PSB, TRANcode, LTERM) are authorized to be used by theDependent Region

§ Predominantly used for BMPs, but actually applies for alldependent regions and connecting threads (DRA/CCTL/ODBA)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



90

Page 89

IBM Software Group


AGN Security Requirements

§ THREE Required Elements

1. AGN defined in SMU4 A named group of4 PSBs, Transaction Codes, LTERMnames

2. RACF (optional –can alternatively use DFSISIS0 Exit)4 Define AGN in AIMS resource class4 Permit userids to use AGN

3. Dependent Region JCL must contain AGN=xxx execution parameter4 Would also contain USERID

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



91

Page 90

IBM Software Group


AGN Security Checks§ At Dependent Region Startup

– AGN name (if specified in JCL) is authorized for useby Region’s USERID

•RACF or DFSISIS0 (Resource Access Security Exit)

§ At Program Scheduling Time– Check (performed by SMU ) that required IMS resource(s) are in the AGN

group for this region•MPP / JMP : check TRAN in AGN*•Message Driven BMP : check TRAN and PSB in AGN*•NMDBMP / IFP / JBP : check PSB in AGN•NMDBMP with OUT= : additionally check output LTERM /

TRAN in AGN

Mostly, inpractice, AGN

security isonly used with

BMPs

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



92

Page 91

IBM Software Group


RACF

RACFIMSA

RACF

DATASPACE

AIMS profilesandaccess lists

SMU AGNTABLEAGN1 AGN2 AGNX

PAYROLL PSB5 TRANXPAYTRAN LTERM2 LTERM1LT1234A9LT47AZ50

AGNXMPP1

AGN2IFP1

AGN1BMP1

BMP1DependentRegion

Start up JCLIMSID=IMSA,USER=BMP1,PASSWORD=PW,AGN=AGN1,.IDENTIFY/CONNECT...SCHED PAYROLL

1A1B

RACROUTEREQUEST=AUTH,CLASS=AIMS, ENTITY=AGN1...

2A

2B

MPP1BMP1

ACEEs

USER1

IFP1

IMSP1

1C

An alternative to the use of RACF is the use of the DFSISIS0 exit –renamed to “AGN Security Exit” (one or the other is called, not both)

Resource Access Security (RAS)

§ The old way SMU and AGN ...

BMP Example –Relies on “AGN=”being coded in JCL

RACF Check

SMU Check

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



93

Page 92

IBM Software Group


Resource Access Security (RAS) with IMS V9/V10§ The new way in IMS V9/V10

– Provides direct RACF authorization checking at program scheduling timeof Region Userid against IMS Resource (TRAN, PSB, LTERM)

– Uses RACF security classes for PSBs and LTERMs•IIMS: Program Specification Block (PSB)•JIMS: Grouping class for PSB•LIMS: Logical terminal (LTERM)•MIMS: Grouping class for LTERM•TIMS: Transaction (TRAN)•GIMS: Grouping class for Transactions

PSBs in AIMSclass are forODBA andExplicit APPCuse of APSBonly(further details willfollow)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



94

Page 93

IBM Software Group


Enabling Resource Access Security in IMS V9/V10§ New specifications in system definition

– SECURITY ... TYPE = RASRACF | RASEXIT | RAS | NORAS || NOAGN | RACFAGN | AGNEXIT

§ New specifications during startup (DFSPBxxx exec parameter)– ISIS = N | R | C | A | 0 | 1 | 2

} ISIS =N | 0 turns off all security checking

RASRACF = RAS security invokes RACFRASEXIT = RAS security invokes an IMS user exit (DFSRAS00)RAS = RAS security invokes RACF and user exit DFSRAS00NORAS = No security (turns off both RAS and SMU)

N = No security (turns off both RAS and SMU)R = RAS security invokes RACFC = RAS security invokes an IMS user exit (DFSRAS00)A = RAS security invokes RACF and user exit DFSRAS00

defaults to SECURITY ... TYPE= specification (or default)

Ignoredin V10

0/1/2 ignored in V10

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



95

Page 94

IBM Software Group


Resource Access Security Checks§ New user exit (DFSRAS00) is called after RACF (when both are used)

– Provides authorization of IMS resources to IMS dependent regions in a RASenvironment

§ RACF and/or DFSRAS00 make checks at every program scheduleusing Region’s USERID

– Authorize region against transaction (MPP, JMP)*– Authorize region against PSB (IFP, NMD BMP, JBP, DRA|CCTL|ODBA)– Authorize region against transaction and PSB (MD BMP)*– Authorize region against PSB and OUT=LTERM (NMD BMP, JBP)– Authorize region against PSB and OUT=transaction (NMD BMP, JBP)

* Also check region userid can use LTERM (if LTERM defined in LIMS class)

§ Available in DCCTL, DB/DC, and DBCTL

– DFSISIS0 remains available in an AGN environment for V9, but AGN securityand the new RAS security can not coexist in a single IMS system

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



96

Page 95

IBM Software Group


Resource Access Security and APSB Security§ When RAS is enabled

– RAS check is made at every MPP/JMP program schedule using region’s userid– RAS check is made at every BMP/IFP/JBP program schedule using region’s userid– RAS check is made at every CICS/DBCTL program schedule using userid of CICS address

space• Completely separately, CICS can perform check of terminal user against PSB

§ RAS checking takes place at a program schedule– PSB defined in IIMS RACF class

APSB security checking takes place for an “APSB Call”– PSB defined in AIMS RACF class

IMS will never use both checks for the same schedule!

§ ODBA APSB call– Exec parameter “ODBASE=Y” means use APSB security– With ODBASE=N, RAS (or AGN) security will apply if enabled

§ Explicit APPC (CPIC) APSB call– If APSB security is performed (with caller’s userid), RAS check will not be made– If APSB security is not performed, RAS check (if enabled) will be performed using region’s

userid

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



97

Page 96

IBM Software Group


AGN definitions:

)( AGN IMSDGRPAGPSB DEBSAGPSB APOL1AGTRAN TRANAAGTRAN TRANBAGLTERM IMSUS02AGLTERM T3270LD

RACF definitions:ADDUSER BMPUSER1

RDEFINE JIMS RASPGRP ADDMEM(DEBS,APOL1) UACC(NONE)PERMIT RASPGRP CLASS(JIMS) ID(BMPUSER1) ACCESS(READ)RDEFINE GIMS RASTGRP ADDMEM(TRANA,TRANB) UACC(NONE)PERMIT RASTGRP CLASS(GIMS) ID(BMPUSER1) ACCESS(READ)RDEFINE MIMS RASLGRP ADDMEM(IMSUS02,T3270LD) UACC(NONE)PERMIT RASLGRP CLASS(MIMS) ID(BMPUSER1) ACCESS(READ)

ADDUSER BMPUSER1

RDEFINE AIMS IMSDGRP OWNER(IMSADMIN) UACC(NONE)PERMIT IMSDGRP CLASS(AIMS) ID(BMPUSER1) ACCESS(READ)SETROPTS CLASSACT(AIMS)

RACF definitions(userid to AGN group):

OLD

NEW

RAS Migration Examples

Example 1 BMP with OUT=lterm/tran

PK35433 and PK38522• Program DFSKAGN0 is provided to

assist in the conversion of AGNSMU statements to RACFcounterparts

• Skeleton DFSKSMJA is providedas a sample JCL stream forinvoking DFSKAGN0

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



98

Page 97

IBM Software Group


AGN definitions:

)( AGN ALLGRPAGPSB ALLAGTRAN ALL

In RACF, generic resource definitions can be usedRACF definitions:

ADDUSER DRAINBMP

RDEFINE JIMS ** UACC(NONE)PERMIT ** CLASS(JIMS) ID(DRAINBMP) ACCESS(READ)RDEFINE TIMS ** UACC(NONE)PERMIT ** CLASS(TIMS) ID(DRAINBMP) ACCESS(READ)

RAS Migration Examples ...Example 2 AGN name with access to all entities of a

particular resource type

OLD

NEW

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



99

Page 98

IBM Software Group


Migrating Off SMU with V9§ Define all AGN resources to RACF in the appropriate classes

§ Define all region ids as RACF users

– BMPs, MPPs, IFPs, etc.

§ Permit region ids to access appropriate resources

§ Change SECURITY macro to specify RAS

and/or

§ Change ISIS= parameter in DFSPBxxx to specify RAS

§ If needed, add ODBASE=Y to DFSPBxxx

§ Restart IMS

§When safe, remove SMU definitions

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



100

Page 99

IBM Software Group


AOI SecurityAOI Security

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



101

Page 100

IBM Software Group


AOI Security in V8 and Before§ Automated Operator Program commands

– Type 1 AOI CMD calls•SMU transaction command security•SECURITY... TRANCMD = NO | YES | FORCE

/NRE or /ERE COLDSYS ... TRANCMDS | NOTRANCMDS•SMU definitions} Which commands can be executed

by a specific program

} Which programs can execute aspecific command

)(CTRANS AUTOCTLTCOMMAND STARTTCOMMAND STOP

)(TCOMMAND STOPCTRANS AUTOCTLCTRANS ADDINV

Ignoredin V10

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



102

Page 101

IBM Software Group


§ IMS V9 enhancements

1. RACF &/or DFSCCMD0 support for4 Type 1 AOI CMD calls

AND4 Type 2 AOI ICMD calls

3. New TRANSACT macro parameter• Defines what is used as the userid• Affects both Type1 and Type2 AOI calls• But has slightly different meaning for each type

1

AOI Security in IMS V9/V10

If you make no changes when migrating toIMS V9, AOI security will be as before

2. Exec parameter,“AOI1” in addition toexisting “AOIS”

2

3

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



103

Page 102

IBM Software Group


Security Support for Type 1 AOI (CMD)§ New IMS EXEC parameter to choose type of security

–AOI1= N | C | R | A | S ‘S’ is reset to ‘R’ in V10

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



104

Page 103

IBM Software Group


YES = Requests the USERID of the user who entered the transaction beauthorised against the Command (in CIMS class)

TRAN = Requests that the TRANCODE be used as the userid for authorizationagainst the Command (in CIMS class)è transactions have to be defined to RACF as USERIDs

CMD = Requests that the COMMAND CODE (first three characters ofthe command) be authorised against Trancode (in TIMS class)è the first three characters of IMS commands have to be defined to

RACF as USERIDsNO = AOI Type 1 CMD calls are not allowed

Not relevant for AOI Type 2 ICMD calls same as YES

TRANSACT AOI= Parameter§ New IMSGEN TRANSACT parameter

–TRANSACT … . AOI= YES | TRAN | CMD | NO– Relates to use of RACF/DFSCCMD0 for both types of AOI

command call

Note thatNote thatType 2 commandsType 2 commands

now have additionalnow have additionalsecurity optionssecurity options

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



105

Page 104

IBM Software Group


)(CTRANS AUTOCTLTCOMMAND STARTTCOMMAND STOP

)(TCOMMAND STOPCTRANS AUTOTRANCTRANS ADDINV

RACF definitions:ADDGROUP AOCMDSADDUSER STO DFLTGRP(AOCMDS)ADDUSER STA DFLTGRP(AOCMDS)

RDEFINE TIMS AUTOCTL UACC(NONE)PERMIT AUTOCTL CLASS(TIMS) ID(AOCMDS) ACCESS(READ)

ADDUSER AUTOTRANADDUSER ADDINV

RDEFINE CIMS STO UACC(NONE)PERMIT STO CLASS(CIMS) ID(AUTOTRAN, ADDINV) ACCESS(READ)

Specify TRANSACT macro AOI= parameter in IMS definitions

RACF Replacement for Type 1 AOI (CMD) SMU Security

TRANSACT CODE=AUTOCTLTRANSACT CODE=AUTOCTLAOI=CMDAOI=CMD

TRANSACT CODE=AUTOTRANTRANSACT CODE=AUTOTRANAOI=TRANAOI=TRAN

OLD

NEW

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



106

Page 105

IBM Software Group


RACF and SMU Coexistence in IMS V9§ Only relevant for Type 1 AOI (CMD) calls

– AOI1=S•Uses SMU security•TRANSACT AOI value ignored

– AOI1=N•No authorization checking is done•TRANSACT AOI value ignored

– AOI1=R|C|A•Uses RACF and/or DFSCCMD0•TRANSACT AOI value honored

– AOI1 not specified•Defaults to IMS GEN specification for SMU in V9•Defaults to R in V10

§ Final override– /NRE or /ERE ... TRANCMDS | NOTRANCMDS

V9 Use SMU.V10 Ignored in

V9: CMD calls not allowed

V10: ignored

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



107

Page 106

IBM Software Group


Migrating Off SMU on V9Type 1 (CMD)§ Initially, code AOI1=S to get SMU security§ Set up required RACF definitions for type 1 commands

– If define trancodes or IMS command verbs as userids, specify apassword to ensure that people can not signon with these userids

§ Add AOI=value to TRANSACT macros in IMSGEN– Can use online change– Will be ignored for type 1 commands while AOI1= indicates SMU

security§ Change (or add) AOI1=R to DFSPBxxx§ Restart IMS (can be warm)§When safe, remove SMU definitions PK35433 and PK38522

• Program DFSKCIMS is provided toassist in the conversion of SMUstatements to RACF counterparts

• DFSKSMU1 and DFSKAOI1 assistin adding AOI= parameter toTRANSACT macros

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



108

Page 107

IBM Software Group


Time Control Option (TCO)Time Control Option (TCO)SecuritySecurity

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



109

Page 108

IBM Software Group


TCO Security in V8 and Before

§ Time Controlled Operations (TCO)

– IMS capability to execute timeinitiated commands and transactions

§ Security support

– Authorization of loading of TCO script by an LTERM•performed only by DFSTCNT0 exit

– Resource authorization•Commands and Transaction security using SMU•Transaction security (only) using RACF} Command security could be requested but is not performed

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



110

Page 109

IBM Software Group


TCO Security in IMS V9/V10

§ Loading of TCO scripts– No change performed only by DFSTCNT0 exit

§ Resource Security

– Command and Transaction security with SMU in V9, but not in V10

– Command and Transaction security with RACF in V9/V10

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



111

Page 110

IBM Software Group


TCO Security with SMU§ Uses standard SMU transaction and command security for

DFSTCFI (the TCO input LTERM)

§ DFSCCMD0 will also be called if it exists (after SMU check) forcommand security

)( TERMINAL DFSTCFICOMMAND STARTCOMMAND STOPTRANSACT STATTRN

)( COMMAND STARTTERMINAL DFSTCFI

)( COMMAND STOPTERMINAL DFSTCFI

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



112

Page 111

IBM Software Group


§ Requires IMS EXEC parameter, RCF= A | S | R | B– Requests RACF support for transaction and command authorisation

§ Requires a USERID– TCO script specification of /SIGN ON tcousid tcopw

• Should also issue /SIGN OFF at end of script

– Else uses control region userid

§ Available for RACF authorization of transactions only– TCO userid is authorised to use transactions in the TIMS class, as usual

§ Command security for TCO userid can be specified …– … but RACF will not be called– TCO is treated by IMS V8 like a system console or master terminal

•Eligible to enter any commands– DFSCCMD0 will be called if it exists

RACF Security for TCO in V8

No RACF for

No RACF for

commands!

commands!

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



113

Page 112

IBM Software Group


RACF Support for TCO in IMS V9/V10§ Requires new execution parameter: TCORACF = Y | N

– Specifies whether or not TCO command security is done with RACF

§ Requires RCF = A | S | R | B– RACF is called for TCO command security only if TCORACF = Y is also

specified§ Requires a TCO USERID

– TCO script specification of /SIGN ON tcousid tcopw

– if DFSTCFI is not required to sign on, will use IMS user ID

§ RACF will be called in standard way to authorize transactionsand commands

– Using TCO USERID

§ DFSCCMD0 will be called if it exists (after RACF) for commandsecurity

R/B ignored in V10

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



114

Page 113

IBM Software Group


ADDUSER TCOUSID DFLTGRP(IMS) OWNER(IMS) PASSWORD(tcopw)PERMIT STA CLASS(CIMS) ID(TCOUSID) ACCESS(READ)PERMIT STO CLASS(CIMS) ID(TCOUSID) ACCESS(READ)PERMIT STATTRN CLASS(TIMS) ID(TCOUSID) ACCESS(READ)

)( TERMINAL DFSTCFICOMMAND STARTCOMMAND STOPTRANSACT STATTRN

RACF Support for TCO ...

The above definitions could havebeen coded in prior releases. If so,authorization for the transactionwas done. Commandauthorization, however, was neverinvoked.In IMS V9/10 (TCORACF=Y), usingthe same definitions, RACF will beinvoked for command authorization.

This example assumes:

Command and transaction profiles already exist The TCO userid (TCOUSID) is connected to a RACF group The TCO script issues a /SIGN ON for TCOUSID RCF= and TCORACF=Y are specified

OLD

“NEW”

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



115

Page 114

IBM Software Group


Migrating Off SMU on V9

§ Prerequisite is that RACF is used for command / transactionsecurity

– RCF= A | S | R | B

§ Define TCO userid and permissions in RACF

§ Add /SIGN ON to all TCO scripts

§ Add TCORACF=Y to DFSPBxxx

§ Restart IMS (can be warm)


R/B ignored in V10

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



116

Page 115

IBM Software Group


MSC Link ReceiveMSC Link ReceiveSecuritySecurity

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



117

Page 116

IBM Software Group


MSC Link Receive Security in V8§ Directed Routing*

– Uses RACF, and Transaction Authorization Exit Routine (DFSCTRN0)if defined

– If DFSMSCE0 exit (link receive entry point) is defined, RACF andDFSCTRN0 are called before and after call of DFSMSCE0

§ NonDirected routing– Uses SMU (after the DFSMSCE0 call)

•Normal transaction security using MSName as the LTERMname– Note: security checking may also have already taken place in the

inputting IMS (terminal security or CHNG call security)

* “Directed Routing”is when application explicitly specifiestarget location

• Not necessarily defined in IMS GEN

Note that Directed and NonNote that Directed and Nondirected routing use differentdirected routing use different

userids for securityuserids for security

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



118

Page 117

IBM Software Group


MSC Link Receive Security in V8 …

IMSB

SMUTABLES

IMSC

USER2

RACF DATA SPACE

ResourceProfiles andAccess Lists

ACEEs

USER1IMSP1

RACFDB

SystemAuthorization

Facility

APPLCTN PSB=APPLXTRANSACT CODE= TRANX

APPLCTN PSB=APPLXTRANSACT CODE=TRANX

SYSID=(01,30)

NonNonDirected RoutingDirected Routing

USER1

TRANX

SMUTABLES

SMUCheck

IMSA

APPLCTN PSB=APPLYTRANSACT CODE= TRANZ

SystemAuthorization

FacilityRACF DATA SPACE

ResourceProfiles andAccess Lists

ACEEs

RACFDB

USER2

TRANY

Directed RoutingDirected Routing

USER2

TRANYUSER1

IMSA1

MPPISRTTRANZ

MSC LINKS

)( TRANSACT TRANXTERMINAL MSNAME1

*MSNAME1 is thelogical link

SMUSMU • Build user2 ACEE• Check user2 access

to TRANZ (TWICE!)

RACFRACF)( TRANSACT TRANXTERMINAL MSNAME1

*MSNAME1 is thelogical link

SMUSMU

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



119

Page 118

IBM Software Group


MSC Link Receive Security in IMS Version 9/10§ New DFSDCxxx parameter to specify use of RACF / DFSCTRN0

– MSCSEC=(parm1, parm2)

•parm1 : defines types of MSC linkreceive usage that requiresecurity

} LRDIRECT | LRNONDR | LRALL | LRNONE

•parm2 : defines type of security check to be performed} CTL | MSN | USER | EXIT | CTLEXIT |

MSNEXIT | USREXIT | NONE

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



120

Page 119

IBM Software Group


RACF for MSC Link Receive Security in V9/V10§ MSCSEC=(parm1, … ..)

– LRDIRECT = Link Receive Directed Routing tran security checking– LRNONDR = Link Receive NonDirected Routing tran security checking– LRALL = LRDIRECT and LRNONDR– LRNONE = No Link Receive security checking

§ V8 compatibility is provided with LRDIRECT– V9 will use SMU security for nondirected routing, but V10 will have no

security for nondirected routing when LRDIRECT is specified

§ RACF / DFSCTRN0 called once, after DFSMSCE0

§ The USERID to be used is defined by MSCSEC parm2 orDFSMSCE0 Exit

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



121

Page 120

IBM Software Group


CTL = Use userid of control regionMSN = Use MSNAME as the useridUSER = Use the terminal user’s useridEXIT = Authorization by user exit alone (DFSCTRN0)CTLEXIT = Use ctl regn userid for RACF and call DFSCTRN0MSNEXIT = Use MSNAME as userid for RACF and call DFSCTRN0USREXIT = Use terminal user’s userid for RACF and call DFSCTRN0NONE = No Security authorization checking

RACF for MSC Link Receive Security in V9/V10 ...§ MSCSEC=(… … ., parm2)

– Specifies what is used as “userid” for transaction security check– MSCSEC=(LRDIRECT | LRNONDR | LRALL | LRNONE ,

CTL | MSN | USER | EXIT | CTLEXIT | MSNEXIT | USREXIT | NONE)

Note: with RACF, security environment for control region orMSNAME is built once when first used, and retained. But securityenvironment for an end user is built and deleted for each message.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



122

Page 121

IBM Software Group


New Role for DSFMSCE0 Link Receive Processing

§ Traditionally, directed and nondirected routing have useddifferent userids for security

– To achieve this in future will require the use of DFSMSCE0 exit

§ Additional data is passed to DFSMSCE0– Userid, Group name, and Userid indicator

§ DFSMSCE0 can override MSCSEC PARM2 value– In other words, DFSMSCE0 link receive processing can –

•Enable or disable security check•Enable or disable use of DFSCTRN0•Choose what userid to use for RACF security} user, control region or MSName

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



123

Page 122

IBM Software Group


Migrating Off SMU with IMS V9

§ When migrating to IMS V9, add to DFSDCxxx– MSCSEC=(LRDIRECT,USER)

•or authorise control region for transaction execution, and take defaultMSCSEC values (LRDIRECT,CTL)

§ Decide what type of userid to use for directed and nondirected routing– Easier when both the same, but can be different

§ Update RACF to include new userids (MSNAMEs and Ctl Rgn) ifnecessary, and grant their access to transactions

§ If using two types of userid, code DFSMSCE0 accordingly

§ Change DFSDCxxx to include– MSCSEC=(LRALL,USER |MSN |CTL)

§ Restart IMS

§ When safe, remove SMU definitions

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



124

Page 123

IBM Software Group


/LOCK, /UNLOCK and/LOCK, /UNLOCK and/SET Security/SET Security

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



125

Page 124

IBM Software Group


/LOCK, /UNLOCK and /SET Security in V8

§ SMU is used to provide Password Security– e.g., /LOCK DATABASE payroll (uomecash)

/SET TRANSACTION paytran (uomecash)– Note: these passwords can not be used with ETO terminals (ETO and

SMU are incompatible)

§ Definitions to achieve SMU /LOCK and /SET password security– IMSGEN SECURITY Macro : PASSWD=YES

•Can override with /NRE or /ERE COLDSYS PASSWORD– SMU Definitions

Password is associatedwith specific resource

)( DATABASE PAYROLLPASSWORD UOMECASH

)( PASSWORD UOMECASHDATABASE PAYROLLPROGRAM PAYPROGTRANSACT PAYTRAN

or

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



126

Page 125

IBM Software Group


Use of /LOCK, /UNLOCK and /SET Security

§ An “end user manager” can LOCK and UNLOCK his users’LTERMs

– One or more LTERMs for a physical terminal– Only he knows the password to do this (when using SMU)

§ Similarly he can SET the destination transaction code for aterminal

– Only he knows the password to do this (when using SMU)

§ Senior operators can LOCK and UNLOCK DBs, programs andtransactions

– Only they know the passwords to do this (when using SMU)

§ In IMS V9/V10 with RACF, these “special people” are explicitlyauthorized to LOCK, UNLOCK and SET specific resources

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



127

Page 126

IBM Software Group


RACF /LOCK, /UNLOCK and /SET Security in IMS V9/V10

§ New DFSDCxxx parameter : LOCKSEC = Y | N– N = No authorization checking

•standard command security will still apply– Y = Calls RACF (and DFSCTRN0 if TRAN)

•RACF classes: LIMS, PIMS, IIMS, TIMS} for LTERM, DB, PSB, TRAN respectively

•If resource is not defined to RACF, access will be granted§ RACF security is based on user’s userid

– Userid must be authorized to issue /LOCK, /UNLOCK, /SET commands AND mustbe authorized for use of specific resource

§ Password security is still available in V9 and V10– In V9, SMU checking can still be requested (done before RACF)– In V9/10, RACF REVERIFY password support can be requested

•User’s signon password is used for reverification

Does not apply to/LOCK or /UNLOCKof NODE or PTERM

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



128

Page 127

IBM Software Group


Migrating Off SMU with V9

§ Define to RACF all resources that need to be LOCKed or SET

– LTERMs, DBs, Programs (PSBs), and Transactions

§ Grant authority for using these resources to the appropriateuserids

§ Add LOCKSEC=Y to DFSDCxxx

§ Restart IMS


§ Inform users that passwords are no longer needed

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



129

Page 128

IBM Software Group


Sign On VerificationSign On VerificationSecuritySecurity

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



130

Page 129

IBM Software Group


Signon Verification Security in V8

§ SMU method for static terminal Signon Verification– Defines which static (nonETO) terminals must /SIGN ON

)( SIGNSTERM TERM1STERM TERM2 or STERM ALLSTERM TERM3...

– RequiresSECURITY SECLVL=SIGNON or FORCSIGN

– … and typically requests RACF verification of userid/password withSECURITY TYPE=RACFTERM

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



131

Page 130

IBM Software Group


Signon Verification Security in IMS Version 9/10§ Does not require RACF (or SMU)

§ New startup parameter in DFSDCxxx– SIGNON = ALL | SPECIFIC

•ALL : all static terminals (except 3284/3286, SLU1 printers,and MTOs)

•SPECIFIC : based on OPTIONS of TYPE/TERMINAL macro

§ Addition to the OPTIONS parameter on the TYPE and/orTERMINAL macros

– OPTIONS = (...,SIGNON | NOSIGNON)•Specification on TERMINAL macro overrides TYPE

§ In V9, if a TERMINAL has both a SMU STERM specification and aconflicting OPTIONS=NOSIGNON, then SMU takes precedence

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



132

Page 131

IBM Software Group


Migrating Off SMU with IMS V9

For “ALL”

§ Add SIGNON=ALL to DFSDCxxx§ Restart IMS

For “SPECIFIC”

§ Add OPTIONS=(… SIGNON… ) for all TERMINALs which currentlyhave an explicit SMU signon requirement§ Add SIGNON=SPECIFIC to DFSDCxxx§ Restart IMS


PK35433 and PK38522• Programs DFSKSMU1 and

DFSKSMU2 are provided to assistin the conversion of )(SIGN SMUstatements to the OPTIONSSIGNON parameter on theTERMINAL macros

• Skeleton DFSKSMJS is providedas sample JCL for invokingDFSKSMU1 and DFSKSMU2

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



133

Page 132

IBM Software Group


Other ConsiderationsOther Considerations

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



134

Page 133

IBM Software Group


Implementing LTERM Security with RACF§ SMU can be used to provide LTERMbased transaction and/or

command security (for static LTERMs))( TERMINAL LTERM5

COMMAND DISTRANSACT TRANA

§ Equivalent security can be provided by RACF, but requires thatRACF be called from the Transaction and/or CommandAuthorisation Exits (DFSCTRN0, DFSCCMD0). For example,– Protect the static LTERMs with the LIMS resource class– Define the commands (there are about 50) and/or transaction codes as

userids– In DFSCCMD0/DFSCTRN0, invoke RACF to VERIFY the IMS

command/transaction as a userid, and authorize it against the LTERMname

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



135

Page 134

IBM Software Group


Implementing LTERM Security with RACF§ Or, for even tighter security,

– Create FACILITY class RACF profiles of command.lterm –e.g.DIS.LTERM5, and similarly for trancode.lterm –e.g. TRANA.LTERM5

– In DFSCCMD0/DFSCTRN0, call RACF to authorize user ID/group to theresource class using the applicable resource combinations

§ The IBM tool, “IMS ETO Support for z/OS” can be used toprovide SMUlike security for– TRANSACTION/ LTERM– TRANSACTION/PASSWORD– COMMAND/LTERM

without requiring any user coding of the IMS Exits– It supports both Static and Dynamic terminals

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



136

Page 135

IBM Software Group


Implementing Password Security with RACF§ SMU can provide additional protection for signed on static

terminals, by requiring the user to enter the SMUdefinedpassword that is associated with a transaction or command (orresource for /LOCK, /UNLOCK and /SET)

§ RACF Solution– Applies to static and ETO terminals– Use the REVERIFY facilities in IMS and RACF

• Specify RVFY=Y in IMS• Specify 'REVERIFY' in the APPLDATA section of the RACF profile

for the transactions and command– Requires a signed on user to reenter the signon password with the

transaction or command input/DBR(mypassw) DATABASE XYZ

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



137

136

Migration Considerations ...

lEnable RCF= value to something other than "N"

–Requires IMS cold start

lSpecify NORSCCC(MODBLKS) in DFSCGxxx

–Turn off resource consistency checking for Matrix data sets in anIMSplex environment

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



138

137


lConsider possible conflicts of trancodes for AOI andcurrent userids for users

–Possible MSNAME conflicts also

lDefine Matrix data sets

–V9 still required, but may be empty

–V10 no longer needed

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



139

138


lAny of the following SECURITY macro optionsactivate SMU–PASSWD=YES or PASSWD=FORCE

Override /NRE NOPASSWORD

–TERMNL=YES or TERMNL=FORCEOverride /NRE NOTERMINAL

–TRANCMD=YES or TRANCMD=FORCEOverride AOI1=R

–TYPE=RACFAGN or TYPE=AGNEXITOverride ISIS=R

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



140

139


§ AOI considerations– CMD has new status code and new return/reason (AIB)

codes– ICMD has new return/reason codes

§ Log record (type X ‘10’) has new error codes

§ New and changed Exits– DFSRAS00, DFSCCMD0, DFSISIS0, DFSMSCE0

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



141

140

Migration Checklist SMU to RACF

lTranslate AGN definitions to RACF

–Make sure new classes are activated in RACF

–Define new RAS parameters

üSECURITY macro or execution ISIS parameter

–Create DFSRAS00 to replace DFSISIS0

–Review JCL for AGN= specifications

lFor static terminals required to sign on

–Specify SIGNON=ALL|SPECIFIC parameter in DFSDCxxx

–Optionally, specify OPTIONS=SIGNON on applicableTYPE/TERMINAL macros

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



142

141

Migration Checklist SMU to RACF ...

lEnable SAF support for TCO command authorization

–TCORACF=Y and RCF=A|S|R|B

lReview AOI requirements

–Specify AOI parameter on TRANSACT macro where needed

–For TYPE 1 CMD security, additionally specify AOI1 = A|N|C|R|S

lMigrate /LOCK and /UNLOCK security

– Specify LOCKSEC=Y in DFSDCxxx

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



143

142

Migration Checklist SMU to RACF ...

lReview MSC requirements for link receive security

–Specify use of SAF/DFSCTRN0 and level of authorizationchecking in the new MSCSEC parameter in DFSDCxxx

–Modify DFSMSCE0 if needed

–Synchronize RACF profiles on sending and destination systems

lDetermine the need to change or write exit routines

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



144

143


SMU TO RACF CONVERSIONUTILITIES

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



145

IBM Software Group

Page 144

SMU to RACF CONVERSION UTILITIES

SMU to RACF Conversion Utilities

§ A set of standalone programs and JCL

§ Delivered via PTF

§ Documented in PSP bucket:

UPGRADE IMS910 SUBSET SMU2RACFCON

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



146

IBM Software Group

Page 145

SMU to RACF CONVERSION UTILITIES

PTFs on IMS V9 and IMS V10 provide a set of utilities to help migrateSMU to RACF

§ IMS V9:§ PK68453/UK38824§ PK66015/ UK37339§ PK56106/UK32791§ PK54996/UK32790§ PK38522/UK28607§ PK35433/UK21894

§ IMS V10§ PK69107/UK38825§ PK66030/ UK37313§ PK56185/UK33359§ PK58281/UK32794§ PK49538/UK31516

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



147

IBM Software Group

Page 146

SMU to RACF Conversion Utilities

§ Application Group Name (AGN) security4Use DFSKAGN0 to generate RACF RAS definitions

§ Type 1 Automated Operator Interface (AOI)4Use DFSKDIMS (optional) and DFSKCIMS to generate RACF statements4Use DFSKSMU1 and DFSKAOI1 to add AOI parameter to TRANSACT macros in Stage 1

§ Terminal security for TimeControlled Operations (TCO)4Use DFSKDIMS (optional) and DFSKCIMS to generate RACF statements for LTERM

DFSTCFI

§ MSC linkreceive security4DFSKSTG0 Stage 1 Analysis report will provide advice on what is required

§ /LOCK, /UNLOCK and /SET commands with passwords4DFSKSTG0 Stage 1 Analysis report will provide advice on what is required

§ Static terminal Signon verification4Use DFSKSMU1 and DFSKSMU2 to add SIGNON option to TERMINAL macros in Stage 1

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



148

IBM Software Group

Page 147

SUMMARY

§ IMS 9 and IMS 10 include a set of utilities to simplifyand expedite the migration from SMU4Supplied via PTFs4Addresses the most manually intensive tasks4Creates corresponding RACF statements4Updates IMS Stage 1 TRANSACT &/or TERMINAL

macros as needed

§ Not meant as a total solution!4Generated RACF statements may well require

additional editing4Customers using different flavors of the same type of SMU security e.g. )( CTRANS and

)( TCOMMAND –may have to convert different subsets of SMU source in different ways

§ The Stage 1 Analysis Report documents all the appropriate tasks formigrating off SMU

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



149

148


References

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



150

149

References for Security Information

§ IMSV10 System Administration Guide–Chapter 8

SC18971800 available for viewing or download athttp://www.ibm.com/ims

§ IMSV9 System Administration Guide–Chapter 4

SC18780700 available for viewing or download athttp://www.ibm.com/ims

§ IMS Version 9 Implementation Guide–Chapter 6

SG246398http://www.redbooks.ibm.com/redbooks/pdfs/sg246398.pdf

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com

http://www.ibm.com/ims

http://www.ibm.com/ims

http://www.redbooks.ibm.com/redbooks/pdfs/sg246398.pdf



151

150


§ IMSV7 Performance Guide (Redbook)Chapter 19

SG246404 http://www.redbooks.ibm.com/redbooks/pdfs/sg246404.pdf

§ IMSV6 Security Guide (Redbook) (still valid despite its age)SG245363 http://www.redbooks.ibm.com/redbooks/pdfs/sg245363.pdf

§ IMS Primer (Redbook)Chapter 24SG245352 http://www.redbooks.ibm.com/redbooks/pdfs/sg245352.pdf

§ z/OS Security Server RACF Security Administrator's Guide SA22768311Chapter 16: RACF and IMS (concise but missing updates)

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com






152

151


§ Presentations

http://www306.ibm.com/software/data/ims/shelf/presentations/

Especially:

– "Security Options and Considerations for OTMA, IMS Connect, andthe MQSeries Bridge Application“

– "Converting IMS SMU Security to RACF with V9"

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com

http://www-306.ibm.com/software/data/ims/shelf/presentations/



153

152

RACF tools

§RACTRACE tool –can trace every RACF call from selectedaddress space via WTO

The tool and documentation can be downloaded from :

ftp://www.redbooks.ibm.com/redbooks/GG243984/

§Other RACF “goodies”:

http://www03.ibm.com/servers/eserver/zseries/zos/racf/goodies.html

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com

ftp://www.redbooks.ibm.com/redbooks/GG243984/

http://www-03.ibm.com/servers/eserver/zseries/zos/racf/goodies.html



154

153

Visit the IMS Home Page Frequently

§ www.ibm.com/ims contains links to

– Upcoming Webcasts, Roadshows and other events– Samples submitted by IBM and customers (IMS

Examples Exchange)– Presentations/papers– Library– IMS Tools and the Tools library– Information Center– IMS Newsletters

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com

http://www.ibm.com/imscontains



155

154

Online User Forums

IMSLhttp://imslistserv.bmc.com/

Virtual IMS Connectionhttp://www.virtualims.com

IMS Societyhttp://www.imssociety.com/board/index.php

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com

http://imslistserv.bmc.com/

http://www.virtualims.com

http://www.ims-society.com/board/index.php



156

155

Call or Write

Maida [email protected]6205762

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com

mailto:[email protected]



157

156


Hints and Tips and FAQs

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



158

157

SMU Conversion FAQs1) When I change the RCF value, do I need to COLD start?

YES! Changing the RCF parameter requires a COLD start of IMS to take effect.

2) How do I convert the SMU TERMINAL statements for WTO and MTO to RACF?If your SMU allows WTO and MTO to do all commands then no action is necessary.IMS bypasses the RACF check for commands from the System Console and MTO.

3) I removed all my STERM statements from SMU. Why does IMS still see them?If you have no STERM statements then the Security Gen (DFSISMP0 SMU utility) willnot produce a new version of member DFSISSOx. If there is an existing DFSISSOxin the MATRIX dataset, the utility will not delete it. You need to do that yourself bydeleting or renaming it. This applies to any of the MATRIX dataset members when allof their corresponding control statements have been removed from SMU.

4) I tried to turn off Type 1 AOI security by starting IMS with /NRE NOTRANCMDS. Why are allCMD calls now being rejected?In IMSV9 TRANCMD=NO on the SECURITY macro and NOTRANCMDS on an IMS restartdo not have the same effect. TRANCMD=NO or AOI1=N turns off security for CMD calls.Starting IMS with NOTRANCMDS means transactions cannot issue the CMD call.In IMSV10 NOTRANCMDS is ignored.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



159

158

SMU Conversion FAQs5) How can I force the TCO terminal, DFSTCF, to sign on if I can’t code it in the

IMSGEN?The only way to force the TCO terminal to sign on is to code SIGNON=ALL inDFSDCxx.If you code SIGNON=SPECIFIC or SIGNON=NONE, the TCO terminal will not berequired to sign on.

6) Why does my TCO script execute even though I didn’t put a valid user ID andpassword sign on in the script?If TCO doesn’t sign on or signs on and fails verification and you do not require theTCO terminal to sign on (see above), then RACF will use the IMS control regionuser ID. If the IMS control region user ID is authorized to do the transaction orcommand, the script will execute.

7) Why are some of the commands in my TCO script being rejected by RACF eventhough I have a valid TCO user ID that signs on in the script?

If you put a /SIGN OFF at the end of the TCO script, the RACF ACEE for the TCOuser ID will be deleted at signoff time. Any timeinitiated commands ortransactions scheduled to execute at a later time will fail the RACF check. Theexception to this is when you do not require the TCO terminal to sign on and theIMS control region is authorized to do the transaction or command. Recommendyou do not put /SIGN OFF in the script.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



160

159

SMU Conversion FAQs8) Why is SMU rejecting transactions even though I specified RACF for transaction

authorization and I removed all the TERMINAL statements from SMU?If RACF security is specified for transactions from static terminals, and if the SECURITYmacro specifies TERMNL=YES or PASSWD=YES, then IMS will do bothRACF and SMU security checks for transactions from static terminals. The SMUchecks will be done after the RACF checks. During your SMU migration, if youremoved TERMINAL statements from your SMU but did not set TERMNL=NO, staticterminal users could receive SMU security violations even though they are authorized byRACF. This only applies to transactions, not commands.

9) Why am I getting a DFS171A Security Load Failed after I removed all my SMUstatements and emptied my MATRIX dataset?

If your SECURITY macro specifies TERMNL=YES and/or PASSWORD=YES, IMSexpects to be able to load the MATRIX dataset member that contains SMU TERMINALstatements or SMU PASSWORD statements. If you remove the TERMINAL andPASSWORD statements from SMU but you still have TERMINL=YES and/orPASSWORD=YES specified on the SECURITY macro, IMS will issue the DFS171Amessage at initialization. This is an informational message and IMS will come up.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



161

160

SMU Conversion FAQs10) Do I have to remove the AGN parameter on all my BMP jobs when I convert from

SMU to RACF?No. The AGN parameter on all procedures is valid for compatibility and ignored.

11) Do I have to change ISIS=0 to ISIS=N for IMS V10?It depends on what your SECURITY macro specifies. IMSV10 ignores ISIS=0,1,2which means the TYPE specification on the SECURITY macro will be used todetermine the setting for RAS security.

12) If I want all my static terminals to sign on, do I have to code OPTIONS=SIGNONon every static terminal macro?No. When you want all of your static terminals to sign on, you can specifySIGNON=ALL in the DFSDCxxx PROCLIB member. This requires all staticterminals to sign on except MTO, LU6.1, 3284/3286, and SLU1 printeronlydevices.If you want the MTO to sign on, specify the OPTIONS=SIGNON on the MTO’sTYPE or TERMINAL macro.

13) Why are CMD calls being rejected even though I coded AOI1=R?AOI1=R has no effect unless AOI= is coded on the TRANSACT macro.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



162

161

SMU Conversion FAQs14) What user ID is used for AO application programs when AOI=YES in the TRANSACT

macro?If the AOI program is MPP or IFP and a message GU call has completed, the user ID isthe user at the signedon terminal or the LTERM name of the signedoff terminal wherethe transaction is issued. If GU is not issued, PSB name is used.If the AOI program is a BMP, and a message GU call has completed, the user ID is theuser of a signedon terminal or the LTERM name of the signedoff terminal where thetransaction is issued. If GU is not issued or if the BMP is nonmessage driven, the valueof the USER parameter specified on the JCL JOB statement is used. If the USERparameter is Not specified, a user ID of 0000000 is used.If the AOI program is a DRA THREAD, the security token that is passed in the PAPL fora schedule request is used to determine whether the user can issue command calls.

15) How can I convert SMU LTERM security to RACF transaction authorization fortransactions coming over an ISC link from a device that is unable to sign on?One possible approach: if sign on is not required, then the IMS control region user ID isUsed when IMS calls RACF. If the IMS control region user ID is authorized, then theTransaction Authorization Exit (DFSCTRN0) will be called for further checking. If theISC transaction makes a CHNG call, IMS will use the LTERM name as the user ID andtry to create an ACEE for it. You could create a user ID for the LTERM name or use theSecurity Reverification Exit (DFSCTSE0) to override the RACF failure.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



163

162

Hints and Tips1) If you change the RCF parameter, a COLD start is required for the change to take effect.2) If you protect the RECONs in RACF, be sure users have authorization to all 3 RECON

datasets. If the VSAM open for either RECON1 or RECON2 fails because of a RACFsecurity violation, IMS interprets the open failure as an I/O error and discards thatRECON dataset

3) Opening a VSAM dataset for update requires CONTROL access in RACF (for CI splitprocessing)

4) If you change the RCLASS and request RACF security, be sure you have defined yournew C,T,I,L classes in the RACF CDT and ACTIVATEd them in RACF before you startIMS. If required classes are not defined, IMS will abend at initialization with a U0166abend. You don’t have to define any resource profiles in the classes but the classesmust be defined to RACF in the CDT. If you don’t define the F,S,O,P classes, IMS willissue informational msg DFS2466I but not abend. (Application programs may not beable to do AUTH calls.)

5) In IMSV9, all IMS jobs, utilities and subsystems in which DBRC is active requireCONTROL access to the RECONs. IMSV10 provides the option of opening RECON forreadonly access

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



164

163

Hints and Tips6) CMDMCS guides the authorization of IMS commands that originate from MCS

consoles. If CMDMCS=R, the userid of the MCS console is checked by RACF beforeallowing the command. If the command is a DBRC command (/RMx) and the /RMxcommand is authorized by the CMDMCS RACF check, then the DBRC security checkis not done.

7) /RM commands are automatically authorized if they come from the MVS console orthe IMS master. No DBRC security check is done.

8) When either the AOIS or CMDMCS startup values indicate that DFSCCMDO(Command Authorization Exit) is to be invoked, DFSCCMD0 must be included in theIMS system or IMS abends with a U0718 at initialization.

9) An input message going from front end IMS to back end IMS includes the user ID andgroup name. If transaction authorization is activated on the BE and the applicationissues a CHNG call, IMS calls RACF to create an ACEE based on the user ID andgroup name that was passed from the FE in the IOPCB. If the BE uses a differentRACF database, the user must be attached to the same RACF group on the BE as heis on the FE or authorization on the BE will fail: INVALID GROUP. If RACF databaseis not shared, recommend keeping them in synch.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



165

164

Hints and Tips10) If SIGNON=SPECIFIC in DFSDC then NOSIGNON will be default for all static

terminals11) Console and Master are never required to sign on and not impacted by STERM ALL or

SIGNON=ALL12) IMS bypasses the RACF check for commands from the system console and MTO.

Transactions from the system console are handled the same as transactions comingfrom any static terminal. This means sign on may be required for transactions.

13) RACF does not have to be enabled for every type of input source. For example, it’s okto say RCF=N and ISIS=R to have RACF RAS security but no RACF security forcommands or transactions from SNA terminal users.

14) ODBA (e.g. DB2 stored procedures) can be secured using APSB security by specifyingODBASE=Y (and RACF turned on) or you can use RAS security by specifying ISIS=R.If both ODBASE and ISIS are specified, ODBASE will be used for ODBA.

15) You can do an IMSGEN with TRANEX specified and not have a TransactionAuthorization exit. There will be an unresolved reference for DFSCTRN0. If this exit islater added, you need to relink the IMS Nucleus (DFSVNUCx) to pick up the exit.Copying the exit to RESLIB is not enough.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



166

165

Hints and Tips16) An AOI program issuing an unauthorized CMD call will receive a CD status code.17) Any time IMS issues a RACROUTE that results in an update of the RACF database, it

causes an exclusive enqueue on the data set. For example, /SIGN with NEWPW andVERIFY.

18) To find out if more than one profile protects a particular resource, issue the RLISTcommand with the RESGROUP operand.For example: RLIST CIMS EXI RESGROUPRLIST RESGROUP does not support generic matches. If you define a profile and usegeneric characters such as (*) to add members to the profile, RLIST RESGROUP willnot return any of the matching profiles in its output.For example,RDEF GIMS GIMSGRP ADDMEM(ABC*)RLIST GIMS ABCD RESGROUPABC* will not appear in the RLIST output.

19) If you have no STERM statements then DFSISMP0 (SMU utility) will not produce anew version of member DFSISSOx. If there is an existing DFSISSOx in the MATRIXdataset, the utility will not delete it. You need to remove the member yourself bydeleting or renaming it. This applies to any of the MATRIX dataset members when allof their corresponding control statements have been removed from SMU.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



167

166

Hints and Tips20) Sample approach to replace LTERM security for an ISC link that doesn’t sign on: If

signon is not required, then the CTL region user ID is used on the FASTAUTH againstthe transaction name. You could then use the DFSCTRN0 exit to check security. If theISC transaction subsequently makes a CHNG call, IMS will use the LTERM name asthe user ID and try to create an ACEE for it. You could create user IDs for the LTERMnames or use DFSCTSE0 to override the RACF failure.

21) If you implement TCORACF security you need a /SIGN ON in the TCO script with auser ID and password. This will create an ACEE for the TCO user ID to authorizetransactions and commands issued by the script. If you put a /SIGN OFF in the script,the ACEE will be deleted and any timeinitiated commands or transactions scheduledto execute at a later time will fail the RACF check. Recommend you do not /SIGN OFF

22) If RACF security is specified for transactions from static terminals, and if theSECURITY macro specifies TERMNL=YES/FORCE or PASSWD=YES/FORCE, thenIMS will do both RACF and SMU security checks for transactions from static terminals.The SMU checks will be done after the RACF checks are done. During your SMUmigration, if you removed TERMINAL statements from your SMU but did not setTERMNL=NO, static terminal users can receive SMU security violations even thoughthey are authorized by RACF. This only applies to transactions, not commands

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



168

167

Hints and Tips23) RACF always uses the most specific (discrete) profile it can find for the resource.

Be aware of things like this:RDEF FACILITY PROD.LIST.DB.* UACC(NONE)PERMIT PROD.LIST.DB.* CLASS(FACILITY) ID(JONES) ACCESS(READ)RDEF FACILITY PROD.LIST.DB.AAA UACC(NONE)PERMIT PROD.LIST.DB.AAA CLASS(FACILITY) ID(SANCHEZ)ACCESS(READ)• Jones cannot do LIST.DB DBD(AAA)but Jones can list database AAA by using LIST.DB ALL

Be aware of things like this:RDEF TIMS ** UACC(NONE)PERMIT ** CLASS(TIMS) ID(JONES) ACCESS(READ)RDEF TIMS ADDINV UACC(NONE)PERMIT ADDINV CLASS(TIMS) ID(SANCHEZ)Jones cannot access ADDINV transaction.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



169

168

Hints and Tips24) If USER1 is in the access list of the generic ** profile and there is another

access list for a specific member of that same class then USER1 will nothave access to that specific member.For example:PE ** CLASS(CIMS) ID(MAIDA) ACCESS(READ)PE DIS CLASS(CIMS) ID(JAMES) ACCESS(READ)results in MAIDA having access to all commands except /DIS.

25) In IMSV10, ISIS=0,1,2 are ignored and ISIS will default to the TYPEspecification on the SECURITY macro for RAS security.

26) AGN coded on procedures is valid for compatibility but ignored.27) RACF ALTER access is required to extend database datasets to new

candidate volumes.28) If you activate RAS security, then every dependent region will need to be

authorized to the IMSid protected in the APPL class.29) CIMS resource names must be the first 3 characters of the IMS command.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



170

169

Hints and Tips30) If sign on is not required and the user does not sign on, RACF uses the ACEE of the

“default environment” for authorization. (ETO terminals are always required to signon.) The “default environment” could be the IMS control region or it could be thedependent region.

31) With TERMNL=YES specified on the SECURITY macro, IMS expects to be able toload the MATRIX dataset member that contains SMU TERMINAL statements. WithPASSWORD=YES specified on the SECURITY macro, IMS expects to be able to loadthe MATRIX member that contains PASSWORD statements. If you remove allTERMINAL and/or PASSWORD statements from SMU and you have TERMNL=YESand/or PASSWORD=YES specified on the SECURITY macro, IMS will issue theDFS171A msg at initialization. This is informational and IMS will still come up.

32) When no command security is specified for a given input source, you will get defaultsecurity for commands entered from source. For example, if you set up RACFcommand authorization to allow /DIS from terminals, but you did not specify a valuefor APPCSE, then the default security for APPC allows only /BROADCAST, /LOG,/RDISPLAY and /RMLIST commands and the /DIS command will not be acceptedfrom an APPC device.

33) Default security only applies to commands, not transactions.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



171

170

Hints and Tips34) Unless you have RACF configured for SYSPLEX communication,

a SETR RACLIST(TIMS) REFRESH on SYSA is not propagated toSYSB. You have to issue the same command on SYSB as well.

35) You might have to recycle IMS to grant new dataset access. If new access is given toa GROUP and IMS was not previously connected to that GROUP, then IMS will needto be recycled. If the access was given to IMS or a GROUP IMS was alreadyconnected to, then refreshing the profile should be enough. If the profile is generic,thenSETROPTS REFRESH GENERIC(DATASET) needs to be issued.You don’t have to recycle IMS for RACF resource profiles changes to take effect. Youonly need to refresh the RACF dataspace by issuingSETR RACLIST(classname) REFRESHClassname should always be the member class (e.g. CIMS), not the grouping class(e.g. DIMS).

36) When you have class pairs of MEMBER and GROUP types, allaction items (other than changing profiles) are against the MEMBERclass.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



172

171

Hints and Tips37) The ** (G) profile covers all resources NOT already defined in the class.

For example, RDEF CIMS ** UACC(NONE) covers all commands that do not havetheir own profile in CIMS or a DIMS group.RACF looks for:a) Discrete CIMS profile (merged with information from DIMS classand the ADDMEMs referenced in DIMS profiles as matches for the CIMS profiles) anduse the most restrictiveb) If no discrete CIMS profile is found but there are CIMS or DIMS generic profilesthen the "best" or most accurate match is used.c) Finally, the ** (G) profile covers all other IMS commands notalready defined in the CIMS as either DISCRETE or GENERIC.

This final profile is often called the backstop or profile of last resort

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



173

172

Hints and Tips38) Member classes and Grouping class definitions are merged when RACLISTed. IMS

authorization calls are made against the member class. When there are “conflicts”,the most restrictive definition is used.

39) If a resource name appears in more than one resource group and/or has a discreteprofile of its own with conflicting UACCs, RACF chooses the most restrictive UACC.If a user is in more than one access list for the same resource, the information ismerged and the most permissive (least restrictive) ACCESS is used.(see z/OS: Security Server RACF Security Administrator's Guide: Resolving Conflictsamong Multiple Profiles)Be aware of things like this:RDEF DIMS DBAGROUP(ADDMEM DBR) UACC NONERDEF DIMS SYSPROG(ADDMEM DBR) UACC NONEPE DBAGROUP CLASS(DIMS) ID(JOE) ACCESS(NONE)PE SYSPROG CLASS(DIMS) ID(JOE) ACCESS(READ)After the merge, JOE has READ access to the /DBR command.

40) The /SIGN and /RCLDST commands are the only commands that an ETO terminalcan enter before it signs on. RACF is not called to authorize these commands.

Click t

o buy NOW!

PDFXCHANGE


k to buy N

OW!PDFXCHANGE

www.docutrack.com



Documents

IBM IMS Security with RACF