Post on 17-Jun-2015
transcript
1
Part 1: IMS SECURITY BASICSPart 2: SMU CONVERSIONMaida Snapper, IMS Specialist, IBMmaidalee@us.ibm.com
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
2
1
© Copyright IBM Corporation [current year]. All rights reserved.U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Corp.
THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSESONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THEINFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS” WITHOUT WARRANTY OFANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENTPRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBMSHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISERELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THISPRESENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING ANY WARRANTIES ORREPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS ANDCONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCTS AND/ORSOFTWARE.
IBM, the IBM logo, ibm.com, DB2, CICS, RACF and IMS are trademarks or registered trademarks of International BusinessMachines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are markedon their first occurrence in this information with a trademark symbol (® or ™ ), these symbols indicate U.S. registered orcommon law trademarks owned by IBM at the time this information was published. Such trademarks may also be registeredor common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright andtrademark information” at www.ibm.com/legal/copytrade.shtml
Other company, product, or service names may be trademarks or service marks of others.
Disclaimer
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
3
2
Click to edit Master title style
PART 1: SECURITY BASICS
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
4
3
Develop an IMS Security Strategy
§ Which IMS resources need protection
§ What protection do they need
§ Who can access them
§ What security facilities will be used
Ø There is often more than one way to protect a givenresource.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
5
4
Which Resources Need Protection§ IMS application (CTL, DL/I, etc)
§ Transactions
§ Commands
§ Terminals
§ PSBs
§ Datasets
§ Databases (records, fields, segments)
§ Dependent regions and connection threads
§ Coupling Facility structures
§ IMSPlex
§ XCF group
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
6
5
Security Facilities
§ IMS default security
§ Program Specification Block (PSB)
§ Encryption
§ VSAM password protection
§ Applicationbased security
§ Physical security
§ RACF (or other SAF product)
§ Exits
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
7
6
Security Facilities –IMS Default Security
IMS default security
§ Exits
§ Program Specification Block (PSB)
§ Encryption
§ VSAM password protection
§ Applicationbased security
§ Physical security
§ RACF (or other SAF product)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
8
7
Security Facilities IMS Default Security§ Limits commands from sources other than IMS Master and TCO
§ Applies only to IMS type1 commands
§ Is based on command source of entry
§ Is what you get when you do not specify a command security option forcommands entered from that source
§ Is not optionalcan only be deactivated by specifying command security forcommands entered from that source
IMS V10 Command Reference Volume 1
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
9
8
Security Facilities –IMS Default SecurityCommands allowed by default when static or ETO terminal is the source of entry:
/BROADCAST/CANCEL/DIAGNOSE/END/EXCLUSIVE/EXIT/FORMAT/HOLD/IAM/LOCK/LOG
/LOOPTEST/RCLDST/RCOMPT/RDISPLAY/RELEASE/RESET/RMLIST/SET/SIGN/TEST/UNLOCK
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
10
9
Security Facilities –IMS Default SecurityCommands allowed by default when OTMA is the source of command entry:
/LOCK/LOG/RDISPLAY
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
11
10
Security Facilities –IMS Default SecurityCommands allowed by default when LU6.2 is the source of command entry:
/BROADCAST/LOCK/LOG/RDISPLAY/RMLIST
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
12
11
Security Facilities IMS Default Security
EXAMPLE
RCF=AAPPCSE=N
RDEF CIMS DIS UACC(READ)
Result:
/DIS from 3270type terminals is accepted/DIS from LU6.2 over APPC is a security violation
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
13
12
Security Facilities –PSB
§ IMS default security
§ Exits
Program Specification Block (PSB)
§ Encryption
§ VSAM password protection
§ Applicationbased security
§ Physical security
§ RACF (or other SAF product)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
14
13
Security Facilities –PSB§ PSB (Program Specification Block) provides database security
– Data sensitivity (SENSEG, SENFLD) describes application view ofdatabase
– Processing options (PROCOPT) define what application can do (e.g. reador update)
§ PSB should be coded to facilitate security requirements– Define only the segments and fields needed– Use only the processing option needed
§ PSB is a trusted resource– IMS makes no security calls for hard coded resources in a PSB– A user authorized to submit a transaction using the PSB is also authorized
to submit a transaction to a destination hard coded in the alternate PCB.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
15
14
Security Facilities Encryption
§ IMS default security
§ Exits
§ Program Specification Block (PSB)
Encryption
§ VSAM password protection
§ Applicationbased security
§ Physical security
§ RACF (or other SAF product)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
16
15
Security Facilities –Encryption
Database encryption may be performed by
§ zSeries and S/390 Crypto Hardware features
§ z/OS Cryptographic ServicesIntegrated Cryptographic Service Facility (ICSF), a component of
z/OS Cryptographic Services, is the software interface to thecrypto hardware
§ Segment Edit/Compression Exit Routine (DFSCMPX0)– can invoke user supplied encryption routine– can call ICSF or other product– can invoke IBM Data Encryption for IMS and DB2 Databases
tool (5655P03)– can be different for each segment
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
17
16
Encryption
Data Encryption for DB2 and IMS Databases tool:
§ requires the IBM optional Crypto Express2 (CEX2) hardwarefeature
§ requires ICSF, the software interface to the crypto hardware
§ requires the standard CP Assist for Crypto Function (CPACF) beenabled and active if the clear key exit is used
§ is recommended over roll your own solutions as extensive testinghas been done to ensure the product works with all the productinterfaces
§ requires no changes to applications, just a change toDBD to define the exit routine
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
18
17
Security Facilities –Encryption
NAME
ADDRESS PAYROLL
Sample PAYROLL Database
SEGM … ,COMPRTN=(routinename,DATA,INIT,MAX)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
19
18
Security Facilities –EncryptionSample DBD For Payroll Database
DBD NAME=PAYROLDB,ACCESS=HISAMDATASET DD1=PAYROLL,OVFLW=PAYROLOV,
SEGM NAME=NAME,BYTES=150,FREQ=1000,PARENT=0FIELD NAME=(EMPLOYEE,SEQ,U),BYTES=60,START=1,TYPE=CFIELD NAME=MANNBR,BYTES=15,START=61,TYPE=CFIELD NAME=ADDR,BYTES=75,START=76,TYPE=C
SEGM NAME=ADDRESS,BYTES=200,FREQ=2,PARENT=NAMEFIELD NAME=HOMEADDR,BYTES=100,START=1,TYPE=CFIELD NAME=COMAILOC,BYTES=100,START=101,TYPE=C
SEGM NAME=PAYROLL,BYTES=100,FREQ=1,PARENT=NAME,COMPRTN=(DFSCMPX0,DATA,INIT,MAX)FIELD NAME=HOURS,BYTES=15,START=51,TYPE=PFIELD NAME=BASICPAY,BYTES=15,START=1,TYPE=P
DBDGENFINISHEND
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
20
19
Security Facilities –VSAM Password Protection
§ IMS default security
§ Exits
§ Program Specification Block (PSB)
§ Encryption
VSAM password protection
§ Applicationbased security
§ Physical security
§ RACF (or other SAF product)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
21
20
Security Facilities VSAM Password Protection
VSAM password protection for IMS databases in batchenvironments
§ prevents accidental access of IMS databases by nonIMSprograms
§ used in conjunction with VSAM CONTROLPW specificationon VSAM DEFINE statements
§ specify PASSWD=YES/NO on DBD
§ ignored in IMS Online (DB/DC) environment
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
22
21
Security Facilities VSAM Password Protection
PASSWD=NO on DBD statement
§ is the default
§ specifies that the DBDNAME for this DBD should notbe used as the VSAM password
§ in IMS Batch, causes operator to be prompted forpassword each time data set opened
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
23
22
Security Facilities VSAM Password Protection
PASSWD=YES on DBD statement
§ DL/I open uses DBDNAME as the VSAM password for eachdataset
§ all datasets for the DBD must use same password
§ CONTROLPW or MASTERPW password on VSAM DEFINE mustbe the same as DBDNAME for the DBD
§ invalid for ACCESS=LOGICAL, MSDB, DEDB
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
24
23
Security Facilities –Applicationbased security
§ IMS default security
§ Exits
§ Program Specification Block (PSB)
§ Encryption
§ VSAM password protection
Applicationbased security
– Physical security
– RACF (or other SAF product)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
25
24
Security Facilities Applicationbased security
§ Application program can perform its own security checks
§ Security rules could be stored in– Internal table in program– Database– RACF
Application program can access RACF info with DL/I AUTH call• Database• Field• Segment• Other
§ Application program grants or denies resource access based onUSERID of the user who entered the transaction
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
26
25
Security Facilities –Physical Security
§ IMS default security
§ Exits
§ Program Specification Block (PSB)
§ Encryption
§ VSAM password protection
§ Applicationbased security
Physical security
§ RACF (or other SAF product)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
27
26
Security Facilities –Physical Security
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
28
27
Security Facilities RACF
§ IMS default security
§ Exits
§ Program Specification Block (PSB)
§ Encryption
§ VSAM password protection
§ Applicationbased security
§ Physical security
RACF (or other SAF product)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
29
28
Setting Up RACF
§ Create Resource Class descriptions in Class Descriptor Table (CDT)e.g. TIMS, CIMS, or installation defined
§ Make sure IMS Resource Classes are activated in RACF
§ Populate the RACF database
– Create group & user profiles• Define groups• Define users• Connect users to groups
– Create resource profilesDefine a profile in the appropriate class for each resource to be secured
– Create access listsPermit groups | users to access resource
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
30
29
RACF Resource Class
§ Collection of profiles with similar characteristics
§ Defined in Class Descriptor Table (CDT)– Can be defined dynamically– Maximum 1024
§ Two types of resource classes– Member class
example, CIMS: one profile protects one command– Grouping class
example, DIMS: one profile protects several commands
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
31
30
RACF Resource Class
Example of some resource classes delivered with RACF:
TIMS CIMS IIMS LIMS
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
32
31
RACF Resource Class
RACF default resource classes used exclusively by IMS(RCLASS=IMS)
CIMS | DIMS Commands (first 3 characters of command)TIMS | GIMS Transactions (trancode)IIMS | JIMS Program Specification Blocks (PSBs)LIMS | MIMS Logical terminals (LTERM)AIMS APSB (Allocate PSB) for CPICPSB and ODBARIMS asynch hold queues for RESUME TPIPE callFIMS | HIMS Database fields (for AUTH calls)SIMS | UIMS Database segments (for AUTH calls)IIMS | WIMS Other (information in RACF for AUTH calls)PIMS | QIMS Databases (for AUTH call)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
33
32
RACF Resource Class
RACF resource classes not exclusive to IMS
TERMINAL | GTERMINLAPPLVTAMAPPLAPPCPORTAPPCLUAPPCTPDATASETFACILITYOPERCMDSSTARTED
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
34
33
RACF Resource Class
Example of some installationdefined resource classes whenRCLASS=IMSTEST:
TIMSTEST CIMSTEST IIMSTEST LIMSTEST
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
35
34
RACF Resource Class§ RCLASS specification in IMS = 17 alphanumerics
– define on SECURITY macro– override in DFSDCxxx– default = IMS
§ Different RCLASS can be used to define different RACF rules for different IMSsystems sharing one RACF database– example 1: RCLASS=IMSTEST– example 2: RCLASS=imsid
§ Define each new resource class in Class Descriptor Table (CDT)
§ Activate resource classes in RACFSETR CLASSACT(classname)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
36
35
RACF Resource Class
§ Class Descriptor Table (CDT)– entries can be defined statically (IPL) or dynamically (no IPL)– maximum 1024 entries
• 256 defined by IBM• 768 can be installationdefined
– loaded at IPL by merging static, then dynamic class descriptors– dynamic entry will replace static of the same name– if merge reaches 1024, RACF warns entries are being ignored– CDT processes a paired member and grouping class together.
§ Updating the RACF Router Table for new resource classes not required
§ Supplied CDT entries are documented in Appendix C of the z/OSSecurity Server RACF Macros and Interfaces
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
37
36
Populate the RACF Database
Consists of profiles
§ Group profileDefines group name, group authority, subgroup, ...
§ User profileDefines individual user ID, password, user attributes, connect
groups, ...
§ Resource profileDefines security requirements for a resource
– Defines Universal Access– Defines authorized users/groups (access list)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
38
37
RACF GROUP and USER Profiles
Example of defining group and user profiles(Not all required parameters shown here)
ADDGROUP IMSGRP4 … .ADDGROUP DBAGRP… .
ADDUSER IMSUS99 NAME(BILL) PASSWORD(IMSPW99) DFLTGRP(IMSGRP4) …
CONNECT IMSUS99 GROUP(IMSGRP4) … .
CONNECT IMSUS99 GROUP(DBAGRP) … .
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
39
38
RACF GROUP and USER Profiles
§ When IMS resources are protected by RACF– IMS needs a user ID– DLI/SAS needs a user ID– Dependent region may need a user ID
§ The user IDs are needed for– Access to system resources and data sets
For example, System dump data set– Access to IMS protected data sets
For example, IMS RECON or RESLIB– Access to IMS resources as the default user ID
§ User IDs can be created using RACF STARTED class
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
40
39
RACF Resource Profiles
§ Discrete profile– protects a singular resource– fully qualified profile name
§ Generic profile– protects one or more resources of the same type– profile contains generic (wildcard) characters– SETR GENERIC(classname) to enable generics
§ Fullyqualified generic profile– used only by the DATASET resource class– used to retain profile when dataset deleted
if multiple profiles exist for a resource, RACF uses the most specific
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
41
40
RACF Resource Profiles
Define a RACF resource profileRDEFINE | RDEF
classname profilename UACC(accessauthority)
§ classname is the RACF resource class§ profilename is the IMS resource name§ UACC is the universal access authorityExamples:RDEFINE TIMS IMSTRANA UACC(READ)RDEFINE TIMS IMSTRAN* UACC(NONE)RDEFINE CIMS DIS UACC(READ)RDEFINE DIMS DBACMDS UACC(NONE) ADDMEM(STO,STA,DBR)
§ z/OS Security Server RACF Command Language Reference Appendix A. NamingConsiderations for Resource Profiles.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
42
41
RACF Resource Profiles
RDEFINE CIMSDISUACC(READ)
RDEFINE DIMSDBACMDSADDMEM(STO,STA,DIS)UACC(NONE)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
43
42
RACF Resource Profiles
IMSXCF.groupname.membernameFACILITYXCF grp (Client bid)dataset nameDATASETDataset
CSL.imsplexnameFACILITYIMSPlex (CSL)imsidAPPLIMS Control Region
CQSSTR.structure_name orIXLSTR.structure_name
FACILITYCF structures
IMS.plxname.command_verb.command_keywordOPERCMDSOM commandsafhlq.command_verb.qualifier.modifierFACILITYDBRC commandlterm nameLIMS / MIMSLTERMpsb nameIIMS / JIMSPSBfirst 3 characters of commandCIMS / DIMSCommand (type 1)transaction nameTIMS / GIMSTransaction
RACFmember class profile name
RACFclass name
IMS resource
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
44
43
RACF Resource Profiles
Universal Access Authority (UACC)§ Can be any one of the following
NONE, READ, EXECUTE, UPDATE, CONTROL, ALTER
§ READ is required for most IMS resources
§ UPDATE is required for– Some Type 2 commands– CQS access to CF structures (SMQ and RM)– Registering with SCI to join an IMSplex
§ CONTROL is required for– VSAM datasets open for update– IMSV10 gives option to open RECON for READ
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
45
44
RACF Access ListsAdd an access list to a resource profilePERMIT | PE
profilenameCLASS(classname)ID(userid(s) and/or groupname(s))ACCESS(accessauthority)
Examples:
PERMIT IMSTRAN* CLASS(TIMS) ID(GROUPA JOE) ACCESS(READ)
PERMIT STO CLASS(CIMS) ID(NANCY DBAGRP) ACCESS(READ)WHEN(TERMINAL(terminalid ...))
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
46
45
RACF Access Lists
§ User or Group Access Authority (ACCESS) can be:– NONE– READ– EXECUTE– UPDATE– CONTROL (for VSAM)– ALTER
§ Maximum entries in the access list of a profile is 5957– access list of each profile is limited to 65535 bytes– each user or group in the access list uses 11 bytes
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
47
46
RACF Access Lists
§ Associated with resource profiles
§ Define access authorities of GROUPs and USERs
NONEIMSADMINREADNONEREAD
GROUPYSTILWELLCM431GP
CIMSDIS
UACCProfile OwnerAccess LevelGroup orUserid
ResourceClass
Resource
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
48
47
Making RACF Security Changes Online
§ To update RACF security definition– update the RACF database– refresh the RACF data space from the database by issuing
SETROPTS RACLIST(classname) REFRESH
§ RACF refreshes all classes with the same CDT POSIT value asclassname
§ specify the member classname not the grouping classnamefor example, specify CIMS not DIMS
§ REFRESH must be entered on all members of a SYSPLEX unlessRACF is configured for SYSPLEX communication
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
49
48
How IMS Talks to SAF
§ When IMS initializes– IMS calls RACF to load IMS resource profiles into a data space (RACLIST)
RACROUTE REQUEST=LIST,GLOBAL=YES– DATASET, Group and User profiles are not eligible for data space– RACF builds ACEE for IMS user ID
§ When a user signs on to IMS– IMS calls RACF for sign on verification
RACROUTE REQUEST=VERIFY,ENVIR=CREATE,ACEE=addr… ..– IMS passes USERID,GROUP,PASSWRD,TERMID,APPL– RACF verifies user ID, password, TERMINAL, APPL– RACF builds ACEE– RACF returns ACEE address and return code to IMS
z/OS Security Server RACF RACROUTE Macro Reference
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
50
49
How IMS Talks to SAF
§ When a user accesses a resource– IMS calls RACF to check authorization
RACROUTE REQUEST=FASTAUTHIMS passes ACEE,CLASS,ENTITY,ATTRExample: RACROUTE REQUEST=FASTAUTH,
ACEE=addr,CLASS=CIMS,ENTITY=DIS,ATTR=READ– RACF sends return code to IMS
• 0 user is authorized• 4 resource has no profile• 8 user is not authorized
– IMS grants access if 0 or 4– If return code 8, IMS calls RACF for audit logging
RACROUTE REQUEST=AUTH with parameters similar to FASTAUTH– RACF checks authorization and logs violation messages
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
51
50
How IMS Talks to SAF
§ When a user signs off– IMS calls RACF to delete the user’s ACEE
RACROUTE REQUEST=VERIFY,ENVIR=DELETE,ACEE=addr…– RACF deletes user’s ACEE
§ When IMS terminates– IMS calls RACF to deregister interest in the resource classes
RACROUTE REQUEST=VERIFY,ENVIR=DELETE,ACEE=addr… ..– RACF deletes the ACEE for IMS user ID– GLOBAL=YES data spaces are not deleted
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
52
51
How IMS Talks to SAF
Accessor Environment Element (ACEE)§ Constructed by RACF when user signs on§ Deleted when user signs off§ Contains a description of the user’s security environment
–User ID–Current connect group–User attributes–Group authorities
ACEE documented in z/OS IBM Security Server RACF Data Areas
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
53
52
Summary of RACF Commands§ Adding profiles:
– ADDUSER add user profile (AU)– ADDGRP add group profile (AG)– ADDSD add dataset profile (AD)– CONNECT to associate USER with GROUP– RDEFINE define profile for general resource class (RDEF)– RALTER to make changes to profile
§ Creating access lists to allow access to resources– PERMIT define resource access list (PE)
§ Set RACF options: SETROPTS (SETR)– CLASSACT –activate the resource class– RACLIST –populate the dataspace– GENERIC –allow generic resource checking– REFRESH –refresh the dataspace
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
54
53
RACF in WARNING Mode for Migration
To ease migration
§ you can specify WARNING in the resource profile definition (RDEF)
§ in WARNING mode you can audit access attempts:– RACF records each access attempt– if user not authorized, RACF allows access and sends ICH408I– if notify user is specified in resource profile, RACF also sends
warning message to the user
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
55
54
Security Facilities Exits
§ IMS default security
Exits
§ Program Specification Block (PSB)
§ Encryption
§ VSAM password protection
§ Applicationbased security
§ Physical security
§ RACF (or other SAF product)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
56
55
Security Facilities –Exits§ Sign on/off verification
– DFSCSGN0– DFSSGNX0– DFSSGFX0
§ Transaction authorization– DFSCTRN0– DFSCTSE0 (reverify)– DFSBSEX0 (build security env)
IMS V10 Exit Routine Reference
§ Command authorization– DFSCCMD0– DSPDCAX0 (DBRC)– OM user exits
§ RAS (dependent region/thread)– DFSRAS00
§ Other– OTMA exits– DFSTCNT0 (TCO)– DFSCMPX0 (encryption)– DFSFLGE0 (log edit)– KBLA scrub
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
57
56
Security Facilities –Exits§ DFSCTRN0 is generally not invoked unless RACF return code is 0 or 4
§ DFSCTSE0 (reverification entry point of DFSCTRN0) is always invokedfor CHNG, AUTH calls no matter what the RACF return code is.
§ When DFSCCMD0 cannot be explicitly requested (e.g. APPCSE), it isinvoked if it exists no matter what the RACF return code is
§ DFSBSEX0 was offered to improve performance; allows you to control ifand when a security environment is dynamically built in cases where itdoes not exist (“back end”IMS, or user has signed off, for example)
§ Exits can be used to do more granular checking than RACF may offer
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
58
57
How to Specify the Security Facility You Want
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
59
58
Tell IMS What Security To Use
§ IMSGEN macros– (COMM)– (IMSGEN)– SECURITY– LINE– TERMINAL– TRANSACT– TYPE
§ Override IMSGEN macros with– IMS execution parameters in JCL or PROCLIB
§ Override JCL or PROCLIB with– IMS commands
• /NRE and /ERE• /SECURE• /SET
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
60
59
Security Macro IMS V9IMS V9 SECURITY macro specifies security options for IMS resources
– SMU security options– Other nonSMU security options, such as RACF and/or exit routine
options
TYPE=
SECLVL=
RCLASS=
3210SECCNT=
FORCEYESNOTRANCMD=
FORCEYESNOTERMNL=
FORCEYESNOPASSWD=
SECURITY
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
61
60
Security Macro IMS V10IMS V10 SECURITY macro specifies RACF and/or EXIT security options
TYPE=
SECLVL=
RCLASS=
3210SECCNT=
FORCEYESNOTRANCMD=
SECURITY
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
62
61
Security Macro
§ SECLVL= transaction authorization / signonverification
§ TYPE= RACF and/or EXITSchoose one from each column
NORAS NORACTRM NOTRANEX NOSIGNEX NORACFCMRASRACF RACFTERM TRANEXIT SIGNEXIT RACFCOMRASEXITRAS
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
63
62
IMS DB/DC Security Options
DFSPBxxx
These override SECURITY macro
TRN = Transaction authorization optionSGN = Sign on authorization optionISIS = Resource Access securityRCF = RACF security option(s)AOI1 = TRANCMD security option (TYPE 1 AOI)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
64
63
Sign On Verification (SGN) DFSPBxxx
SGN= overrides and augments SECURITY macro SECLVL
§ N specifies that the signon verification function is not in effect
§ Y specifies that the signon verification function is to be activated
§ F same as Y except the MTO cannot negate the activation of the signonverification function.
§ M single userid can sign on to multiple terminals (does not activate signonverification)
§ Z = Y + M
§ G = F + M
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
65
64
Transaction Authorization (TRN) DFSPBxxx
TRN= overrides SECURITY macro SECLVL§ N
Transaction authorization is inactive for this execution of IMS.Can be activated on /NRE or /ERE COLDSYS
§ YTransaction authorization is active for this execution of IMS
Can be deactivated on /NRE or /ERE COLDSYS§ F
Same as YCannot be deactivated on /NRE or /ERE COLDSYS
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
66
65
RACF Authorization (RCF) DFSPBxxx
RCF= overrides and augments SECURITY macro TYPE
§ N do not call RACF for signon verification, transaction or commandauthorization for input from static or ETO terminals
§ C call RACF to authorize commands entered from ETO terminals
§ S call RACF to authorize commands entered from both static and ETO terminals
§ T call RACF for signon verification and transaction authorization
§ Y call RACF for sign on verification, transaction authorization and commandauthorization for commands entered from ETO devices
§ A call RACF for sign on verification, transaction authorization and commandauthorization for commands entered from both static and ETO devices
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
67
66
More IMS DB/DC Security Options
DFSPBxxx
These have no equivalent on SECURITY macro
AOIS = ICMD security option (TYPE 2 AOI)CMDMCS = MCS/EMCS command optionODBASE = ODBA security optionAPPCSE = APPC security optionOTMASE = OTMA security optionTCORACF = TCO RACF command authorization security optionRVFY = RACF reverify optionRCFTCB = Number of RACF TCBsALOT = automatic logoff for ETOASOT = automatic signoff for ETO
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
68
67
IMS DC Security Options
DFSDCxxx–These override SECURITY macro
•RCLASS 17 char suffix for RACF IMS resource classes
–These have no equivalent on SECURITY macro•BMPUSID•MSCSEC•LOCKSEC•SIGNON•SAPPLID
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
69
68
Operations Manager Security Options
§ CSLOIxx (Operations Manager PROCLIB)
CMDSEC = security option for all commands routedthrough Operations Manager (OM)
§ DFSCGxxx (IMS PROCLIB)
CMDSEC = security option for Type 1 commands routedthrough Operations Manager (OM)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
70
69
IMS Securityrelated Log Records§ Type X'10'
–Security violation has occurred§ Type X'16'
–Written at /SIGN ON and /SIGN OFF–Contains
•Physical terminal identifier•Userid•IMS time stamp
§Contain userid for signed on user–Types X'01' and x'5901' input message–Types X'03' and x'5903' output message–Types X'50', X'51', X'52' and X'5950' database change records
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
71
70
Putting It All Together
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
72
71
Factors Affecting SecurityThe security in force is determined by ...§ IMS system definition§ IMS JCL overrides§ IMS PROCLIB overrides
– DFSPBxxx– DFSDCxxx– CSLOIxxx– DFSCGxxx
§ IMS commands and restart options– Example: /SECURE APPC FULL– Example: /NRE TRANAUTH
§ Whether IMS was warm started or cold started§ Source of the input message§ RACF definitions§ Exits
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
73
72
Protecting IMS Resources§ IMS application (CTL, DL/I, etc)
§ Transactions
§ Commands
§ Terminals
§ PSBs
§ Datasets
§ Databases (records, fields, segments)
§ Dependent regions and connection threads
§ Coupling Facility structures
§ IMSPlex
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
74
73
Protecting IMS Resources
SOME EXAMPLES USING RACF
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
75
74
Protecting the IMS Control Region
Example:SETROPTS CLASSACT(APPL)
RDEFINE APPL (IMSP,IMST) UACC(NONE)
PERMIT IMSP CLASS(APPL) ID(GROUP1,GROUP2) ACCESS(READ)PERMIT IMST CLASS(APPL) ID(GROUPA,GROUPB) ACCESS(READ)PERMIT IMSP CLASS(APPL) ID(BILL) ACCESS(READ)
WHEN(TERMINAL(NODE1,NODE2))
If RAS security is activated (ISIS=R):PERMIT IMSP CLASS(APPL) ID(IMSMPR1,IMSBMP1) ACCESS(READ)
SETR RACLIST(APPL) REFRESH
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
76
75
Protecting DBRC CommandsExample:
CHANGE.RECON CMDAUTH(SAF,PROD)
RDEFINE FACILITY PROD.GENJCL.RECOV.AAA UACC(NONE)PERMIT PROD.GENJCL.RECOV.AAA CLASS(FACILITY) ID(JOE)
ACCESS(READ)
RDEFINE FACILITY PROD.GENJCL.RECOV.* UACC(NONE)PERMIT PROD.GENJCL.RECOV.* CLASS(FACILITY) ID(BILL) ACCESS(READ)
Complete list of resource names can be found inIMS V10 System Administration Guide Table 28IMS V9 DBRC Guide and Reference Appendix C
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
77
76
Protecting OM CommandsCMDSEC=R
RDEFINE OPERCMDS IMS.CSLPLX0.UPD.TRAN UACC(NONE)PERMIT IMS.CSLPLX0.UPD.TRAN CLASS(OPERCMDS)
ID(LONNIE) ACCESS(UPDATE)
RDEFINE OPERCMDS IMS.CSLPLX0.STO.DB UACC(NONE)PERMIT IMS.CSLPLX0.STO.DB CLASS(OPERCMDS)
ID(ALAN) ACCESS(UPDATE)
RDEFINE OPERCMDS IMS.CSLPLX1.UPD.TRAN UACC(NONE)RDEFINE OPERCMDS IMS.*.QRY.* UACC(NONE)PERMIT IMS.*.QRY.* CLASS(OPERCMDS) ID(KENNY) ACCESS(READ)
Complete list of resource names can be found inIMS V10 IMSPLEX Administration Guide Table 8IMS V9 Command Reference Appendix I Resource Names Table
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
78
77
Protecting CF Structures
RDEF FACILITY CQSSTR.IMSP_MSGQ1 UACC(NONE)PE CQSSTR.IMSP_MSGQ1 CLASS(FACILITY) ID(IMSP) ACCESS(UPDATE)
RDEFINE FACILITY IXLSTR.IMSP_MSGQ1 UACC(NONE)PERMIT IXLSTR.IMSP_MSGQ1 CLASS(FACILITY) ID(IMSP) ACCESS(UPDATE)
RDEFINE FACILITY IXLSTR.IMSP_IMSIRLM UACC(NONE)PERMIT IXLSTR.IMSP_IMSIRLM CLASS(FACILITY) ID(IRLMP) ACCESS(UPDATE)
SETROPTS CLASSACT(FACILITY)SETROPTS RACLIST(FACILITY) REFRESH
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
79
78
Protecting IMSPlexADDGROUP PLX0GRP ...ADDUSER OM1USER ... DFLTGRP(PLX0GRP)ADDUSER RM1USER ... DFLTGRP(PLX0GRP)ADDUSER CQS1USER ... DFLTGRP(PLX0GRP)ADDUSER IMS1USER ... DFLTGRP(PLX0GRP)ADDUSER ... (other address spaces needing access to SCI)
RDEF STARTED OM1 STDATA(USER(OM1USER) GROUP(PLX0GRP) ...RDEF STARTED RM1 STDATA(USER(RM1USER) GROUP(PLX0GRP) ...RDEF ... (for each started task)RDEFINE FACILITY CSL.CSLPLX0 UACC(NONE)
PERMIT CSL.CSLPLX0 CLASS(FACILITY) ID(PLX0GRP) ACCESS(UPDATE)
SETROPTS CLASSACT(FACILITY)SETROPTS RACLIST(FACILITY)REFRESH
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
80
79
Protecting IMS Data Sets
§ ADDSD(’IMSPROD.RESLIB’,’IMSPROD.PROCLIB’,’IMSPROD.ACBLIB’)UACC(NONE) AUDIT(ALL) OWNER(IMSADMIN)
§ PERMIT ’IMSPROD.RESLIB’ ID(IMSP,MARY,TESTGRP)ACCESS(READ)
§ PERMIT ’IMSPROD.RESLIB’ ID(SYSPROG,HENRY)ACCESS(UPDATE)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
81
80
Click to edit Master title style
PART 2: SMU CONVERSION
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
82
81
SMU Migration
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
83
Page 82
IBM Software Group
SMU to RACF Security
IMS V10 SMU Support Removed§ IMS V10 removes SMU and SMU components
–The Security Maintenance Utility–Application Group Name Exit Routine (DFSISIS0)–IMS.MATRIXx data sets
§ Primary consideration
–If migration from SMU to SAF/RACF has not already been done, migrationto IMS V10 will also need to include migration from SMU to SAF/RACF
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
84
Page 83
IBM Software Group
SMU to RACF Security
IMS V10 SMU Removal§ Any SMU parameters in System Generation macros will be
ignored– COMM, IMSGEN, SECURITY macros
§ Utilities– SMU Utility no longer supported– Online Change Utility ignores MATRIX dataset DD cards
§ Execution parameterse.g. AGN, ISIS, AOI1, MSCSEC, SGN, etc– Ignored if request SMU– Some parameters are no longer documented, but are ignored when
specified– Defaults changed where previous default was SMU
§ Commands that “require” SMU are rejected– e.g. /CHANGE PASSWORD
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
85
Page 84
IBM Software Group
SMU to RACF Security
SMU Compared with RACF Security (Before IMS V10)
§ The basic command and transaction security is available witheither SMU or RACF
– SMU authorizes the LTERM to use a transaction/command– RACF authorizes the USERID to use a transaction/command
§ SMU keeps its security definitions in a matrix– Who can do what– What can be done by whom
§ RACF keeps security definitions in user profiles which describeallowed access to defined resources
– Resources defined in RACF Resource Classes –for example:•Transactions –TIMS class (or groups of transactions in GIMS class)•Commands CIMS class (or groups of commands in DIMS class)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
86
Page 85
IBM Software Group
SMU to RACF Security
RACF Security Before IMS Version 9Most IMS security could be implemented with RACF
§ SignOn user validation andverification– Check user is known– Check password is correct
§ Terminal Security– User v. physical terminal
§ IMS System Access Security– User v. IMS ID
§ Transaction Security– User v. Trancode
§ Command Security– User v. IMS Command in Control
Region– User v. IMS Command in
Operations Manager
§ AOI Type2 ICMD Call Security– User v. IMS Command
§ IMS Data Set Access Security– Controls access to DBs and
system datasets§ DB Data Access Security –used
with DL/1 AUTH call– User v. DB Record– User v. Segment– User v. Field
§ PSB Access Security For ODBAand CPIC– User v. PSBname
§ Connection Access Control– IMS Connect, CQS, CSL address
spaces, etc
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
87
Page 86
IBM Software Group
SMU to RACF Security
IMS V9Last release tosupport SMU
Security Enhancements in IMS V9/V10
§ Version 9 introduced enhancements toIMS and the RACF interface to support theseremaining functions that required SMU in IMS V8:1. Application Group Name (AGN) security2. Type 1 Automated Operator Interface (AOI)3. Terminal security for TimeControlled Operations (TCO)4. MSC linkreceive security for nondirected routing5. /LOCK, /UNLOCK and /SET commands with passwords6. Static terminal Signon
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
88
Page 87
IBM Software Group
SMU to RACF Security
Resource Access SecurityResource Access Security
(Replaces AGN Security)(Replaces AGN Security)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
89
Page 88
IBM Software Group
SMU to RACF Security
Resource Access Security with SMU
§ Uses Application Group Name (AGN) security– IMS Version 9 was the last release to support AGN security
§ Objectives of AGN Security
– Check at Program Scheduling Time that the resources involved(PSB, TRANcode, LTERM) are authorized to be used by theDependent Region
§ Predominantly used for BMPs, but actually applies for alldependent regions and connecting threads (DRA/CCTL/ODBA)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
90
Page 89
IBM Software Group
SMU to RACF Security
AGN Security Requirements
§ THREE Required Elements
1. AGN defined in SMU4 A named group of4 PSBs, Transaction Codes, LTERMnames
2. RACF (optional –can alternatively use DFSISIS0 Exit)4 Define AGN in AIMS resource class4 Permit userids to use AGN
3. Dependent Region JCL must contain AGN=xxx execution parameter4 Would also contain USERID
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
91
Page 90
IBM Software Group
SMU to RACF Security
AGN Security Checks§ At Dependent Region Startup
– AGN name (if specified in JCL) is authorized for useby Region’s USERID
•RACF or DFSISIS0 (Resource Access Security Exit)
§ At Program Scheduling Time– Check (performed by SMU ) that required IMS resource(s) are in the AGN
group for this region•MPP / JMP : check TRAN in AGN*•Message Driven BMP : check TRAN and PSB in AGN*•NMDBMP / IFP / JBP : check PSB in AGN•NMDBMP with OUT= : additionally check output LTERM /
TRAN in AGN
Mostly, inpractice, AGN
security isonly used with
BMPs
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
92
Page 91
IBM Software Group
SMU to RACF Security
RACF
RACFIMSA
RACF
DATASPACE
AIMS profilesandaccess lists
SMU AGNTABLEAGN1 AGN2 AGNX
PAYROLL PSB5 TRANXPAYTRAN LTERM2 LTERM1LT1234A9LT47AZ50
AGNXMPP1
AGN2IFP1
AGN1BMP1
BMP1DependentRegion
Start up JCLIMSID=IMSA,USER=BMP1,PASSWORD=PW,AGN=AGN1,.IDENTIFY/CONNECT...SCHED PAYROLL
1A1B
RACROUTEREQUEST=AUTH,CLASS=AIMS, ENTITY=AGN1...
2A
2B
MPP1BMP1
ACEEs
USER1
IFP1
IMSP1
1C
An alternative to the use of RACF is the use of the DFSISIS0 exit –renamed to “AGN Security Exit” (one or the other is called, not both)
Resource Access Security (RAS)
§ The old way SMU and AGN ...
BMP Example –Relies on “AGN=”being coded in JCL
RACF Check
SMU Check
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
93
Page 92
IBM Software Group
SMU to RACF Security
Resource Access Security (RAS) with IMS V9/V10§ The new way in IMS V9/V10
– Provides direct RACF authorization checking at program scheduling timeof Region Userid against IMS Resource (TRAN, PSB, LTERM)
– Uses RACF security classes for PSBs and LTERMs•IIMS: Program Specification Block (PSB)•JIMS: Grouping class for PSB•LIMS: Logical terminal (LTERM)•MIMS: Grouping class for LTERM•TIMS: Transaction (TRAN)•GIMS: Grouping class for Transactions
PSBs in AIMSclass are forODBA andExplicit APPCuse of APSBonly(further details willfollow)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
94
Page 93
IBM Software Group
SMU to RACF Security
Enabling Resource Access Security in IMS V9/V10§ New specifications in system definition
– SECURITY ... TYPE = RASRACF | RASEXIT | RAS | NORAS || NOAGN | RACFAGN | AGNEXIT
§ New specifications during startup (DFSPBxxx exec parameter)– ISIS = N | R | C | A | 0 | 1 | 2
} ISIS =N | 0 turns off all security checking
RASRACF = RAS security invokes RACFRASEXIT = RAS security invokes an IMS user exit (DFSRAS00)RAS = RAS security invokes RACF and user exit DFSRAS00NORAS = No security (turns off both RAS and SMU)
N = No security (turns off both RAS and SMU)R = RAS security invokes RACFC = RAS security invokes an IMS user exit (DFSRAS00)A = RAS security invokes RACF and user exit DFSRAS00
defaults to SECURITY ... TYPE= specification (or default)
Ignoredin V10
0/1/2 ignored in V10
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
95
Page 94
IBM Software Group
SMU to RACF Security
Resource Access Security Checks§ New user exit (DFSRAS00) is called after RACF (when both are used)
– Provides authorization of IMS resources to IMS dependent regions in a RASenvironment
§ RACF and/or DFSRAS00 make checks at every program scheduleusing Region’s USERID
– Authorize region against transaction (MPP, JMP)*– Authorize region against PSB (IFP, NMD BMP, JBP, DRA|CCTL|ODBA)– Authorize region against transaction and PSB (MD BMP)*– Authorize region against PSB and OUT=LTERM (NMD BMP, JBP)– Authorize region against PSB and OUT=transaction (NMD BMP, JBP)
* Also check region userid can use LTERM (if LTERM defined in LIMS class)
§ Available in DCCTL, DB/DC, and DBCTL
– DFSISIS0 remains available in an AGN environment for V9, but AGN securityand the new RAS security can not coexist in a single IMS system
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
96
Page 95
IBM Software Group
SMU to RACF Security
Resource Access Security and APSB Security§ When RAS is enabled
– RAS check is made at every MPP/JMP program schedule using region’s userid– RAS check is made at every BMP/IFP/JBP program schedule using region’s userid– RAS check is made at every CICS/DBCTL program schedule using userid of CICS address
space• Completely separately, CICS can perform check of terminal user against PSB
§ RAS checking takes place at a program schedule– PSB defined in IIMS RACF class
APSB security checking takes place for an “APSB Call”– PSB defined in AIMS RACF class
IMS will never use both checks for the same schedule!
§ ODBA APSB call– Exec parameter “ODBASE=Y” means use APSB security– With ODBASE=N, RAS (or AGN) security will apply if enabled
§ Explicit APPC (CPIC) APSB call– If APSB security is performed (with caller’s userid), RAS check will not be made– If APSB security is not performed, RAS check (if enabled) will be performed using region’s
userid
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
97
Page 96
IBM Software Group
SMU to RACF Security
AGN definitions:
)( AGN IMSDGRPAGPSB DEBSAGPSB APOL1AGTRAN TRANAAGTRAN TRANBAGLTERM IMSUS02AGLTERM T3270LD
RACF definitions:ADDUSER BMPUSER1
RDEFINE JIMS RASPGRP ADDMEM(DEBS,APOL1) UACC(NONE)PERMIT RASPGRP CLASS(JIMS) ID(BMPUSER1) ACCESS(READ)RDEFINE GIMS RASTGRP ADDMEM(TRANA,TRANB) UACC(NONE)PERMIT RASTGRP CLASS(GIMS) ID(BMPUSER1) ACCESS(READ)RDEFINE MIMS RASLGRP ADDMEM(IMSUS02,T3270LD) UACC(NONE)PERMIT RASLGRP CLASS(MIMS) ID(BMPUSER1) ACCESS(READ)
ADDUSER BMPUSER1
RDEFINE AIMS IMSDGRP OWNER(IMSADMIN) UACC(NONE)PERMIT IMSDGRP CLASS(AIMS) ID(BMPUSER1) ACCESS(READ)SETROPTS CLASSACT(AIMS)
RACF definitions(userid to AGN group):
OLD
NEW
RAS Migration Examples
Example 1 BMP with OUT=lterm/tran
PK35433 and PK38522• Program DFSKAGN0 is provided to
assist in the conversion of AGNSMU statements to RACFcounterparts
• Skeleton DFSKSMJA is providedas a sample JCL stream forinvoking DFSKAGN0
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
98
Page 97
IBM Software Group
SMU to RACF Security
AGN definitions:
)( AGN ALLGRPAGPSB ALLAGTRAN ALL
In RACF, generic resource definitions can be usedRACF definitions:
ADDUSER DRAINBMP
RDEFINE JIMS ** UACC(NONE)PERMIT ** CLASS(JIMS) ID(DRAINBMP) ACCESS(READ)RDEFINE TIMS ** UACC(NONE)PERMIT ** CLASS(TIMS) ID(DRAINBMP) ACCESS(READ)
RAS Migration Examples ...Example 2 AGN name with access to all entities of a
particular resource type
OLD
NEW
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
99
Page 98
IBM Software Group
SMU to RACF Security
Migrating Off SMU with V9§ Define all AGN resources to RACF in the appropriate classes
§ Define all region ids as RACF users
– BMPs, MPPs, IFPs, etc.
§ Permit region ids to access appropriate resources
§ Change SECURITY macro to specify RAS
and/or
§ Change ISIS= parameter in DFSPBxxx to specify RAS
§ If needed, add ODBASE=Y to DFSPBxxx
§ Restart IMS
§When safe, remove SMU definitions
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
100
Page 99
IBM Software Group
SMU to RACF Security
AOI SecurityAOI Security
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
101
Page 100
IBM Software Group
SMU to RACF Security
AOI Security in V8 and Before§ Automated Operator Program commands
– Type 1 AOI CMD calls•SMU transaction command security•SECURITY... TRANCMD = NO | YES | FORCE
/NRE or /ERE COLDSYS ... TRANCMDS | NOTRANCMDS•SMU definitions} Which commands can be executed
by a specific program
} Which programs can execute aspecific command
)(CTRANS AUTOCTLTCOMMAND STARTTCOMMAND STOP
)(TCOMMAND STOPCTRANS AUTOCTLCTRANS ADDINV
Ignoredin V10
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
102
Page 101
IBM Software Group
SMU to RACF Security
§ IMS V9 enhancements
1. RACF &/or DFSCCMD0 support for4 Type 1 AOI CMD calls
AND4 Type 2 AOI ICMD calls
3. New TRANSACT macro parameter• Defines what is used as the userid• Affects both Type1 and Type2 AOI calls• But has slightly different meaning for each type
1
AOI Security in IMS V9/V10
If you make no changes when migrating toIMS V9, AOI security will be as before
2. Exec parameter,“AOI1” in addition toexisting “AOIS”
2
3
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
103
Page 102
IBM Software Group
SMU to RACF Security
Security Support for Type 1 AOI (CMD)§ New IMS EXEC parameter to choose type of security
–AOI1= N | C | R | A | S ‘S’ is reset to ‘R’ in V10
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
104
Page 103
IBM Software Group
SMU to RACF Security
YES = Requests the USERID of the user who entered the transaction beauthorised against the Command (in CIMS class)
TRAN = Requests that the TRANCODE be used as the userid for authorizationagainst the Command (in CIMS class)è transactions have to be defined to RACF as USERIDs
CMD = Requests that the COMMAND CODE (first three characters ofthe command) be authorised against Trancode (in TIMS class)è the first three characters of IMS commands have to be defined to
RACF as USERIDsNO = AOI Type 1 CMD calls are not allowed
Not relevant for AOI Type 2 ICMD calls same as YES
TRANSACT AOI= Parameter§ New IMSGEN TRANSACT parameter
–TRANSACT … . AOI= YES | TRAN | CMD | NO– Relates to use of RACF/DFSCCMD0 for both types of AOI
command call
Note thatNote thatType 2 commandsType 2 commands
now have additionalnow have additionalsecurity optionssecurity options
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
105
Page 104
IBM Software Group
SMU to RACF Security
)(CTRANS AUTOCTLTCOMMAND STARTTCOMMAND STOP
)(TCOMMAND STOPCTRANS AUTOTRANCTRANS ADDINV
RACF definitions:ADDGROUP AOCMDSADDUSER STO DFLTGRP(AOCMDS)ADDUSER STA DFLTGRP(AOCMDS)
RDEFINE TIMS AUTOCTL UACC(NONE)PERMIT AUTOCTL CLASS(TIMS) ID(AOCMDS) ACCESS(READ)
ADDUSER AUTOTRANADDUSER ADDINV
RDEFINE CIMS STO UACC(NONE)PERMIT STO CLASS(CIMS) ID(AUTOTRAN, ADDINV) ACCESS(READ)
Specify TRANSACT macro AOI= parameter in IMS definitions
RACF Replacement for Type 1 AOI (CMD) SMU Security
TRANSACT CODE=AUTOCTLTRANSACT CODE=AUTOCTLAOI=CMDAOI=CMD
TRANSACT CODE=AUTOTRANTRANSACT CODE=AUTOTRANAOI=TRANAOI=TRAN
OLD
NEW
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
106
Page 105
IBM Software Group
SMU to RACF Security
RACF and SMU Coexistence in IMS V9§ Only relevant for Type 1 AOI (CMD) calls
– AOI1=S•Uses SMU security•TRANSACT AOI value ignored
– AOI1=N•No authorization checking is done•TRANSACT AOI value ignored
– AOI1=R|C|A•Uses RACF and/or DFSCCMD0•TRANSACT AOI value honored
– AOI1 not specified•Defaults to IMS GEN specification for SMU in V9•Defaults to R in V10
§ Final override– /NRE or /ERE ... TRANCMDS | NOTRANCMDS
V9 Use SMU.V10 Ignored in
V9: CMD calls not allowed
V10: ignored
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
107
Page 106
IBM Software Group
SMU to RACF Security
Migrating Off SMU on V9Type 1 (CMD)§ Initially, code AOI1=S to get SMU security§ Set up required RACF definitions for type 1 commands
– If define trancodes or IMS command verbs as userids, specify apassword to ensure that people can not signon with these userids
§ Add AOI=value to TRANSACT macros in IMSGEN– Can use online change– Will be ignored for type 1 commands while AOI1= indicates SMU
security§ Change (or add) AOI1=R to DFSPBxxx§ Restart IMS (can be warm)§When safe, remove SMU definitions PK35433 and PK38522
• Program DFSKCIMS is provided toassist in the conversion of SMUstatements to RACF counterparts
• DFSKSMU1 and DFSKAOI1 assistin adding AOI= parameter toTRANSACT macros
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
108
Page 107
IBM Software Group
SMU to RACF Security
Time Control Option (TCO)Time Control Option (TCO)SecuritySecurity
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
109
Page 108
IBM Software Group
SMU to RACF Security
TCO Security in V8 and Before
§ Time Controlled Operations (TCO)
– IMS capability to execute timeinitiated commands and transactions
§ Security support
– Authorization of loading of TCO script by an LTERM•performed only by DFSTCNT0 exit
– Resource authorization•Commands and Transaction security using SMU•Transaction security (only) using RACF} Command security could be requested but is not performed
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
110
Page 109
IBM Software Group
SMU to RACF Security
TCO Security in IMS V9/V10
§ Loading of TCO scripts– No change performed only by DFSTCNT0 exit
§ Resource Security
– Command and Transaction security with SMU in V9, but not in V10
– Command and Transaction security with RACF in V9/V10
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
111
Page 110
IBM Software Group
SMU to RACF Security
TCO Security with SMU§ Uses standard SMU transaction and command security for
DFSTCFI (the TCO input LTERM)
§ DFSCCMD0 will also be called if it exists (after SMU check) forcommand security
)( TERMINAL DFSTCFICOMMAND STARTCOMMAND STOPTRANSACT STATTRN
)( COMMAND STARTTERMINAL DFSTCFI
)( COMMAND STOPTERMINAL DFSTCFI
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
112
Page 111
IBM Software Group
SMU to RACF Security
§ Requires IMS EXEC parameter, RCF= A | S | R | B– Requests RACF support for transaction and command authorisation
§ Requires a USERID– TCO script specification of /SIGN ON tcousid tcopw
• Should also issue /SIGN OFF at end of script
– Else uses control region userid
§ Available for RACF authorization of transactions only– TCO userid is authorised to use transactions in the TIMS class, as usual
§ Command security for TCO userid can be specified …– … but RACF will not be called– TCO is treated by IMS V8 like a system console or master terminal
•Eligible to enter any commands– DFSCCMD0 will be called if it exists
RACF Security for TCO in V8
No RACF for
No RACF for
commands!
commands!
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
113
Page 112
IBM Software Group
SMU to RACF Security
RACF Support for TCO in IMS V9/V10§ Requires new execution parameter: TCORACF = Y | N
– Specifies whether or not TCO command security is done with RACF
§ Requires RCF = A | S | R | B– RACF is called for TCO command security only if TCORACF = Y is also
specified§ Requires a TCO USERID
– TCO script specification of /SIGN ON tcousid tcopw
– if DFSTCFI is not required to sign on, will use IMS user ID
§ RACF will be called in standard way to authorize transactionsand commands
– Using TCO USERID
§ DFSCCMD0 will be called if it exists (after RACF) for commandsecurity
R/B ignored in V10
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
114
Page 113
IBM Software Group
SMU to RACF Security
ADDUSER TCOUSID DFLTGRP(IMS) OWNER(IMS) PASSWORD(tcopw)PERMIT STA CLASS(CIMS) ID(TCOUSID) ACCESS(READ)PERMIT STO CLASS(CIMS) ID(TCOUSID) ACCESS(READ)PERMIT STATTRN CLASS(TIMS) ID(TCOUSID) ACCESS(READ)
)( TERMINAL DFSTCFICOMMAND STARTCOMMAND STOPTRANSACT STATTRN
RACF Support for TCO ...
The above definitions could havebeen coded in prior releases. If so,authorization for the transactionwas done. Commandauthorization, however, was neverinvoked.In IMS V9/10 (TCORACF=Y), usingthe same definitions, RACF will beinvoked for command authorization.
This example assumes:
Command and transaction profiles already exist The TCO userid (TCOUSID) is connected to a RACF group The TCO script issues a /SIGN ON for TCOUSID RCF= and TCORACF=Y are specified
OLD
“NEW”
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
115
Page 114
IBM Software Group
SMU to RACF Security
Migrating Off SMU on V9
§ Prerequisite is that RACF is used for command / transactionsecurity
– RCF= A | S | R | B
§ Define TCO userid and permissions in RACF
§ Add /SIGN ON to all TCO scripts
§ Add TCORACF=Y to DFSPBxxx
§ Restart IMS (can be warm)
§When safe, remove SMU definitions
R/B ignored in V10
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
116
Page 115
IBM Software Group
SMU to RACF Security
MSC Link ReceiveMSC Link ReceiveSecuritySecurity
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
117
Page 116
IBM Software Group
SMU to RACF Security
MSC Link Receive Security in V8§ Directed Routing*
– Uses RACF, and Transaction Authorization Exit Routine (DFSCTRN0)if defined
– If DFSMSCE0 exit (link receive entry point) is defined, RACF andDFSCTRN0 are called before and after call of DFSMSCE0
§ NonDirected routing– Uses SMU (after the DFSMSCE0 call)
•Normal transaction security using MSName as the LTERMname– Note: security checking may also have already taken place in the
inputting IMS (terminal security or CHNG call security)
* “Directed Routing”is when application explicitly specifiestarget location
• Not necessarily defined in IMS GEN
Note that Directed and NonNote that Directed and Nondirected routing use differentdirected routing use different
userids for securityuserids for security
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
118
Page 117
IBM Software Group
SMU to RACF Security
MSC Link Receive Security in V8 …
IMSB
SMUTABLES
IMSC
USER2
RACF DATA SPACE
ResourceProfiles andAccess Lists
ACEEs
USER1IMSP1
RACFDB
SystemAuthorization
Facility
APPLCTN PSB=APPLXTRANSACT CODE= TRANX
APPLCTN PSB=APPLXTRANSACT CODE=TRANX
SYSID=(01,30)
NonNonDirected RoutingDirected Routing
USER1
TRANX
SMUTABLES
SMUCheck
IMSA
APPLCTN PSB=APPLYTRANSACT CODE= TRANZ
SystemAuthorization
FacilityRACF DATA SPACE
ResourceProfiles andAccess Lists
ACEEs
RACFDB
USER2
TRANY
Directed RoutingDirected Routing
USER2
TRANYUSER1
IMSA1
MPPISRTTRANZ
MSC LINKS
)( TRANSACT TRANXTERMINAL MSNAME1
*MSNAME1 is thelogical link
SMUSMU • Build user2 ACEE• Check user2 access
to TRANZ (TWICE!)
RACFRACF)( TRANSACT TRANXTERMINAL MSNAME1
*MSNAME1 is thelogical link
SMUSMU
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
119
Page 118
IBM Software Group
SMU to RACF Security
MSC Link Receive Security in IMS Version 9/10§ New DFSDCxxx parameter to specify use of RACF / DFSCTRN0
– MSCSEC=(parm1, parm2)
•parm1 : defines types of MSC linkreceive usage that requiresecurity
} LRDIRECT | LRNONDR | LRALL | LRNONE
•parm2 : defines type of security check to be performed} CTL | MSN | USER | EXIT | CTLEXIT |
MSNEXIT | USREXIT | NONE
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
120
Page 119
IBM Software Group
SMU to RACF Security
RACF for MSC Link Receive Security in V9/V10§ MSCSEC=(parm1, … ..)
– LRDIRECT = Link Receive Directed Routing tran security checking– LRNONDR = Link Receive NonDirected Routing tran security checking– LRALL = LRDIRECT and LRNONDR– LRNONE = No Link Receive security checking
§ V8 compatibility is provided with LRDIRECT– V9 will use SMU security for nondirected routing, but V10 will have no
security for nondirected routing when LRDIRECT is specified
§ RACF / DFSCTRN0 called once, after DFSMSCE0
§ The USERID to be used is defined by MSCSEC parm2 orDFSMSCE0 Exit
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
121
Page 120
IBM Software Group
SMU to RACF Security
CTL = Use userid of control regionMSN = Use MSNAME as the useridUSER = Use the terminal user’s useridEXIT = Authorization by user exit alone (DFSCTRN0)CTLEXIT = Use ctl regn userid for RACF and call DFSCTRN0MSNEXIT = Use MSNAME as userid for RACF and call DFSCTRN0USREXIT = Use terminal user’s userid for RACF and call DFSCTRN0NONE = No Security authorization checking
RACF for MSC Link Receive Security in V9/V10 ...§ MSCSEC=(… … ., parm2)
– Specifies what is used as “userid” for transaction security check– MSCSEC=(LRDIRECT | LRNONDR | LRALL | LRNONE ,
CTL | MSN | USER | EXIT | CTLEXIT | MSNEXIT | USREXIT | NONE)
Note: with RACF, security environment for control region orMSNAME is built once when first used, and retained. But securityenvironment for an end user is built and deleted for each message.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
122
Page 121
IBM Software Group
SMU to RACF Security
New Role for DSFMSCE0 Link Receive Processing
§ Traditionally, directed and nondirected routing have useddifferent userids for security
– To achieve this in future will require the use of DFSMSCE0 exit
§ Additional data is passed to DFSMSCE0– Userid, Group name, and Userid indicator
§ DFSMSCE0 can override MSCSEC PARM2 value– In other words, DFSMSCE0 link receive processing can –
•Enable or disable security check•Enable or disable use of DFSCTRN0•Choose what userid to use for RACF security} user, control region or MSName
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
123
Page 122
IBM Software Group
SMU to RACF Security
Migrating Off SMU with IMS V9
§ When migrating to IMS V9, add to DFSDCxxx– MSCSEC=(LRDIRECT,USER)
•or authorise control region for transaction execution, and take defaultMSCSEC values (LRDIRECT,CTL)
§ Decide what type of userid to use for directed and nondirected routing– Easier when both the same, but can be different
§ Update RACF to include new userids (MSNAMEs and Ctl Rgn) ifnecessary, and grant their access to transactions
§ If using two types of userid, code DFSMSCE0 accordingly
§ Change DFSDCxxx to include– MSCSEC=(LRALL,USER |MSN |CTL)
§ Restart IMS
§ When safe, remove SMU definitions
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
124
Page 123
IBM Software Group
SMU to RACF Security
/LOCK, /UNLOCK and/LOCK, /UNLOCK and/SET Security/SET Security
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
125
Page 124
IBM Software Group
SMU to RACF Security
/LOCK, /UNLOCK and /SET Security in V8
§ SMU is used to provide Password Security– e.g., /LOCK DATABASE payroll (uomecash)
/SET TRANSACTION paytran (uomecash)– Note: these passwords can not be used with ETO terminals (ETO and
SMU are incompatible)
§ Definitions to achieve SMU /LOCK and /SET password security– IMSGEN SECURITY Macro : PASSWD=YES
•Can override with /NRE or /ERE COLDSYS PASSWORD– SMU Definitions
Password is associatedwith specific resource
)( DATABASE PAYROLLPASSWORD UOMECASH
)( PASSWORD UOMECASHDATABASE PAYROLLPROGRAM PAYPROGTRANSACT PAYTRAN
or
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
126
Page 125
IBM Software Group
SMU to RACF Security
Use of /LOCK, /UNLOCK and /SET Security
§ An “end user manager” can LOCK and UNLOCK his users’LTERMs
– One or more LTERMs for a physical terminal– Only he knows the password to do this (when using SMU)
§ Similarly he can SET the destination transaction code for aterminal
– Only he knows the password to do this (when using SMU)
§ Senior operators can LOCK and UNLOCK DBs, programs andtransactions
– Only they know the passwords to do this (when using SMU)
§ In IMS V9/V10 with RACF, these “special people” are explicitlyauthorized to LOCK, UNLOCK and SET specific resources
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
127
Page 126
IBM Software Group
SMU to RACF Security
RACF /LOCK, /UNLOCK and /SET Security in IMS V9/V10
§ New DFSDCxxx parameter : LOCKSEC = Y | N– N = No authorization checking
•standard command security will still apply– Y = Calls RACF (and DFSCTRN0 if TRAN)
•RACF classes: LIMS, PIMS, IIMS, TIMS} for LTERM, DB, PSB, TRAN respectively
•If resource is not defined to RACF, access will be granted§ RACF security is based on user’s userid
– Userid must be authorized to issue /LOCK, /UNLOCK, /SET commands AND mustbe authorized for use of specific resource
§ Password security is still available in V9 and V10– In V9, SMU checking can still be requested (done before RACF)– In V9/10, RACF REVERIFY password support can be requested
•User’s signon password is used for reverification
Does not apply to/LOCK or /UNLOCKof NODE or PTERM
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
128
Page 127
IBM Software Group
SMU to RACF Security
Migrating Off SMU with V9
§ Define to RACF all resources that need to be LOCKed or SET
– LTERMs, DBs, Programs (PSBs), and Transactions
§ Grant authority for using these resources to the appropriateuserids
§ Add LOCKSEC=Y to DFSDCxxx
§ Restart IMS
§When safe, remove SMU definitions
§ Inform users that passwords are no longer needed
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
129
Page 128
IBM Software Group
SMU to RACF Security
Sign On VerificationSign On VerificationSecuritySecurity
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
130
Page 129
IBM Software Group
SMU to RACF Security
Signon Verification Security in V8
§ SMU method for static terminal Signon Verification– Defines which static (nonETO) terminals must /SIGN ON
)( SIGNSTERM TERM1STERM TERM2 or STERM ALLSTERM TERM3...
– RequiresSECURITY SECLVL=SIGNON or FORCSIGN
– … and typically requests RACF verification of userid/password withSECURITY TYPE=RACFTERM
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
131
Page 130
IBM Software Group
SMU to RACF Security
Signon Verification Security in IMS Version 9/10§ Does not require RACF (or SMU)
§ New startup parameter in DFSDCxxx– SIGNON = ALL | SPECIFIC
•ALL : all static terminals (except 3284/3286, SLU1 printers,and MTOs)
•SPECIFIC : based on OPTIONS of TYPE/TERMINAL macro
§ Addition to the OPTIONS parameter on the TYPE and/orTERMINAL macros
– OPTIONS = (...,SIGNON | NOSIGNON)•Specification on TERMINAL macro overrides TYPE
§ In V9, if a TERMINAL has both a SMU STERM specification and aconflicting OPTIONS=NOSIGNON, then SMU takes precedence
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
132
Page 131
IBM Software Group
SMU to RACF Security
Migrating Off SMU with IMS V9
For “ALL”
§ Add SIGNON=ALL to DFSDCxxx§ Restart IMS
For “SPECIFIC”
§ Add OPTIONS=(… SIGNON… ) for all TERMINALs which currentlyhave an explicit SMU signon requirement§ Add SIGNON=SPECIFIC to DFSDCxxx§ Restart IMS
§When safe, remove SMU definitions
PK35433 and PK38522• Programs DFSKSMU1 and
DFSKSMU2 are provided to assistin the conversion of )(SIGN SMUstatements to the OPTIONSSIGNON parameter on theTERMINAL macros
• Skeleton DFSKSMJS is providedas sample JCL for invokingDFSKSMU1 and DFSKSMU2
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
133
Page 132
IBM Software Group
SMU to RACF Security
Other ConsiderationsOther Considerations
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
134
Page 133
IBM Software Group
SMU to RACF Security
Implementing LTERM Security with RACF§ SMU can be used to provide LTERMbased transaction and/or
command security (for static LTERMs))( TERMINAL LTERM5
COMMAND DISTRANSACT TRANA
§ Equivalent security can be provided by RACF, but requires thatRACF be called from the Transaction and/or CommandAuthorisation Exits (DFSCTRN0, DFSCCMD0). For example,– Protect the static LTERMs with the LIMS resource class– Define the commands (there are about 50) and/or transaction codes as
userids– In DFSCCMD0/DFSCTRN0, invoke RACF to VERIFY the IMS
command/transaction as a userid, and authorize it against the LTERMname
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
135
Page 134
IBM Software Group
SMU to RACF Security
Implementing LTERM Security with RACF§ Or, for even tighter security,
– Create FACILITY class RACF profiles of command.lterm –e.g.DIS.LTERM5, and similarly for trancode.lterm –e.g. TRANA.LTERM5
– In DFSCCMD0/DFSCTRN0, call RACF to authorize user ID/group to theresource class using the applicable resource combinations
§ The IBM tool, “IMS ETO Support for z/OS” can be used toprovide SMUlike security for– TRANSACTION/ LTERM– TRANSACTION/PASSWORD– COMMAND/LTERM
without requiring any user coding of the IMS Exits– It supports both Static and Dynamic terminals
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
136
Page 135
IBM Software Group
SMU to RACF Security
Implementing Password Security with RACF§ SMU can provide additional protection for signed on static
terminals, by requiring the user to enter the SMUdefinedpassword that is associated with a transaction or command (orresource for /LOCK, /UNLOCK and /SET)
§ RACF Solution– Applies to static and ETO terminals– Use the REVERIFY facilities in IMS and RACF
• Specify RVFY=Y in IMS• Specify 'REVERIFY' in the APPLDATA section of the RACF profile
for the transactions and command– Requires a signed on user to reenter the signon password with the
transaction or command input/DBR(mypassw) DATABASE XYZ
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
137
136
Migration Considerations ...
lEnable RCF= value to something other than "N"
–Requires IMS cold start
lSpecify NORSCCC(MODBLKS) in DFSCGxxx
–Turn off resource consistency checking for Matrix data sets in anIMSplex environment
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
138
137
Migration Considerations ...
lConsider possible conflicts of trancodes for AOI andcurrent userids for users
–Possible MSNAME conflicts also
lDefine Matrix data sets
–V9 still required, but may be empty
–V10 no longer needed
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
139
138
Migration Considerations ...
lAny of the following SECURITY macro optionsactivate SMU–PASSWD=YES or PASSWD=FORCE
Override /NRE NOPASSWORD
–TERMNL=YES or TERMNL=FORCEOverride /NRE NOTERMINAL
–TRANCMD=YES or TRANCMD=FORCEOverride AOI1=R
–TYPE=RACFAGN or TYPE=AGNEXITOverride ISIS=R
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
140
139
Migration Considerations ...
§ AOI considerations– CMD has new status code and new return/reason (AIB)
codes– ICMD has new return/reason codes
§ Log record (type X ‘10’) has new error codes
§ New and changed Exits– DFSRAS00, DFSCCMD0, DFSISIS0, DFSMSCE0
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
141
140
Migration Checklist SMU to RACF
lTranslate AGN definitions to RACF
–Make sure new classes are activated in RACF
–Define new RAS parameters
üSECURITY macro or execution ISIS parameter
–Create DFSRAS00 to replace DFSISIS0
–Review JCL for AGN= specifications
lFor static terminals required to sign on
–Specify SIGNON=ALL|SPECIFIC parameter in DFSDCxxx
–Optionally, specify OPTIONS=SIGNON on applicableTYPE/TERMINAL macros
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
142
141
Migration Checklist SMU to RACF ...
lEnable SAF support for TCO command authorization
–TCORACF=Y and RCF=A|S|R|B
lReview AOI requirements
–Specify AOI parameter on TRANSACT macro where needed
–For TYPE 1 CMD security, additionally specify AOI1 = A|N|C|R|S
lMigrate /LOCK and /UNLOCK security
– Specify LOCKSEC=Y in DFSDCxxx
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
143
142
Migration Checklist SMU to RACF ...
lReview MSC requirements for link receive security
–Specify use of SAF/DFSCTRN0 and level of authorizationchecking in the new MSCSEC parameter in DFSDCxxx
–Modify DFSMSCE0 if needed
–Synchronize RACF profiles on sending and destination systems
lDetermine the need to change or write exit routines
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
144
143
Click to edit Master title style
SMU TO RACF CONVERSIONUTILITIES
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
145
IBM Software Group
Page 144
SMU to RACF CONVERSION UTILITIES
SMU to RACF Conversion Utilities
§ A set of standalone programs and JCL
§ Delivered via PTF
§ Documented in PSP bucket:
UPGRADE IMS910 SUBSET SMU2RACFCON
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
146
IBM Software Group
Page 145
SMU to RACF CONVERSION UTILITIES
PTFs on IMS V9 and IMS V10 provide a set of utilities to help migrateSMU to RACF
§ IMS V9:§ PK68453/UK38824§ PK66015/ UK37339§ PK56106/UK32791§ PK54996/UK32790§ PK38522/UK28607§ PK35433/UK21894
§ IMS V10§ PK69107/UK38825§ PK66030/ UK37313§ PK56185/UK33359§ PK58281/UK32794§ PK49538/UK31516
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
147
IBM Software Group
Page 146
SMU to RACF Conversion Utilities
§ Application Group Name (AGN) security4Use DFSKAGN0 to generate RACF RAS definitions
§ Type 1 Automated Operator Interface (AOI)4Use DFSKDIMS (optional) and DFSKCIMS to generate RACF statements4Use DFSKSMU1 and DFSKAOI1 to add AOI parameter to TRANSACT macros in Stage 1
§ Terminal security for TimeControlled Operations (TCO)4Use DFSKDIMS (optional) and DFSKCIMS to generate RACF statements for LTERM
DFSTCFI
§ MSC linkreceive security4DFSKSTG0 Stage 1 Analysis report will provide advice on what is required
§ /LOCK, /UNLOCK and /SET commands with passwords4DFSKSTG0 Stage 1 Analysis report will provide advice on what is required
§ Static terminal Signon verification4Use DFSKSMU1 and DFSKSMU2 to add SIGNON option to TERMINAL macros in Stage 1
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
148
IBM Software Group
Page 147
SUMMARY
§ IMS 9 and IMS 10 include a set of utilities to simplifyand expedite the migration from SMU4Supplied via PTFs4Addresses the most manually intensive tasks4Creates corresponding RACF statements4Updates IMS Stage 1 TRANSACT &/or TERMINAL
macros as needed
§ Not meant as a total solution!4Generated RACF statements may well require
additional editing4Customers using different flavors of the same type of SMU security e.g. )( CTRANS and
)( TCOMMAND –may have to convert different subsets of SMU source in different ways
§ The Stage 1 Analysis Report documents all the appropriate tasks formigrating off SMU
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
149
148
Click to edit Master title style
References
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
150
149
References for Security Information
§ IMSV10 System Administration Guide–Chapter 8
SC18971800 available for viewing or download athttp://www.ibm.com/ims
§ IMSV9 System Administration Guide–Chapter 4
SC18780700 available for viewing or download athttp://www.ibm.com/ims
§ IMS Version 9 Implementation Guide–Chapter 6
SG246398http://www.redbooks.ibm.com/redbooks/pdfs/sg246398.pdf
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
151
150
References for Security Information
§ IMSV7 Performance Guide (Redbook)Chapter 19
SG246404 http://www.redbooks.ibm.com/redbooks/pdfs/sg246404.pdf
§ IMSV6 Security Guide (Redbook) (still valid despite its age)SG245363 http://www.redbooks.ibm.com/redbooks/pdfs/sg245363.pdf
§ IMS Primer (Redbook)Chapter 24SG245352 http://www.redbooks.ibm.com/redbooks/pdfs/sg245352.pdf
§ z/OS Security Server RACF Security Administrator's Guide SA22768311Chapter 16: RACF and IMS (concise but missing updates)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
152
151
References for Security Information
§ Presentations
http://www306.ibm.com/software/data/ims/shelf/presentations/
Especially:
– "Security Options and Considerations for OTMA, IMS Connect, andthe MQSeries Bridge Application“
– "Converting IMS SMU Security to RACF with V9"
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
153
152
RACF tools
§RACTRACE tool –can trace every RACF call from selectedaddress space via WTO
The tool and documentation can be downloaded from :
ftp://www.redbooks.ibm.com/redbooks/GG243984/
§Other RACF “goodies”:
http://www03.ibm.com/servers/eserver/zseries/zos/racf/goodies.html
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
154
153
Visit the IMS Home Page Frequently
§ www.ibm.com/ims contains links to
– Upcoming Webcasts, Roadshows and other events– Samples submitted by IBM and customers (IMS
Examples Exchange)– Presentations/papers– Library– IMS Tools and the Tools library– Information Center– IMS Newsletters
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
155
154
Online User Forums
IMSLhttp://imslistserv.bmc.com/
Virtual IMS Connectionhttp://www.virtualims.com
IMS Societyhttp://www.imssociety.com/board/index.php
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
156
155
Call or Write
Maida Snappermaidalee@us.ibm.com8456205762
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
157
156
Click to edit Master title style
Hints and Tips and FAQs
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
158
157
SMU Conversion FAQs1) When I change the RCF value, do I need to COLD start?
YES! Changing the RCF parameter requires a COLD start of IMS to take effect.
2) How do I convert the SMU TERMINAL statements for WTO and MTO to RACF?If your SMU allows WTO and MTO to do all commands then no action is necessary.IMS bypasses the RACF check for commands from the System Console and MTO.
3) I removed all my STERM statements from SMU. Why does IMS still see them?If you have no STERM statements then the Security Gen (DFSISMP0 SMU utility) willnot produce a new version of member DFSISSOx. If there is an existing DFSISSOxin the MATRIX dataset, the utility will not delete it. You need to do that yourself bydeleting or renaming it. This applies to any of the MATRIX dataset members when allof their corresponding control statements have been removed from SMU.
4) I tried to turn off Type 1 AOI security by starting IMS with /NRE NOTRANCMDS. Why are allCMD calls now being rejected?In IMSV9 TRANCMD=NO on the SECURITY macro and NOTRANCMDS on an IMS restartdo not have the same effect. TRANCMD=NO or AOI1=N turns off security for CMD calls.Starting IMS with NOTRANCMDS means transactions cannot issue the CMD call.In IMSV10 NOTRANCMDS is ignored.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
159
158
SMU Conversion FAQs5) How can I force the TCO terminal, DFSTCF, to sign on if I can’t code it in the
IMSGEN?The only way to force the TCO terminal to sign on is to code SIGNON=ALL inDFSDCxx.If you code SIGNON=SPECIFIC or SIGNON=NONE, the TCO terminal will not berequired to sign on.
6) Why does my TCO script execute even though I didn’t put a valid user ID andpassword sign on in the script?If TCO doesn’t sign on or signs on and fails verification and you do not require theTCO terminal to sign on (see above), then RACF will use the IMS control regionuser ID. If the IMS control region user ID is authorized to do the transaction orcommand, the script will execute.
7) Why are some of the commands in my TCO script being rejected by RACF eventhough I have a valid TCO user ID that signs on in the script?
If you put a /SIGN OFF at the end of the TCO script, the RACF ACEE for the TCOuser ID will be deleted at signoff time. Any timeinitiated commands ortransactions scheduled to execute at a later time will fail the RACF check. Theexception to this is when you do not require the TCO terminal to sign on and theIMS control region is authorized to do the transaction or command. Recommendyou do not put /SIGN OFF in the script.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
160
159
SMU Conversion FAQs8) Why is SMU rejecting transactions even though I specified RACF for transaction
authorization and I removed all the TERMINAL statements from SMU?If RACF security is specified for transactions from static terminals, and if the SECURITYmacro specifies TERMNL=YES or PASSWD=YES, then IMS will do bothRACF and SMU security checks for transactions from static terminals. The SMUchecks will be done after the RACF checks. During your SMU migration, if youremoved TERMINAL statements from your SMU but did not set TERMNL=NO, staticterminal users could receive SMU security violations even though they are authorized byRACF. This only applies to transactions, not commands.
9) Why am I getting a DFS171A Security Load Failed after I removed all my SMUstatements and emptied my MATRIX dataset?
If your SECURITY macro specifies TERMNL=YES and/or PASSWORD=YES, IMSexpects to be able to load the MATRIX dataset member that contains SMU TERMINALstatements or SMU PASSWORD statements. If you remove the TERMINAL andPASSWORD statements from SMU but you still have TERMINL=YES and/orPASSWORD=YES specified on the SECURITY macro, IMS will issue the DFS171Amessage at initialization. This is an informational message and IMS will come up.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
161
160
SMU Conversion FAQs10) Do I have to remove the AGN parameter on all my BMP jobs when I convert from
SMU to RACF?No. The AGN parameter on all procedures is valid for compatibility and ignored.
11) Do I have to change ISIS=0 to ISIS=N for IMS V10?It depends on what your SECURITY macro specifies. IMSV10 ignores ISIS=0,1,2which means the TYPE specification on the SECURITY macro will be used todetermine the setting for RAS security.
12) If I want all my static terminals to sign on, do I have to code OPTIONS=SIGNONon every static terminal macro?No. When you want all of your static terminals to sign on, you can specifySIGNON=ALL in the DFSDCxxx PROCLIB member. This requires all staticterminals to sign on except MTO, LU6.1, 3284/3286, and SLU1 printeronlydevices.If you want the MTO to sign on, specify the OPTIONS=SIGNON on the MTO’sTYPE or TERMINAL macro.
13) Why are CMD calls being rejected even though I coded AOI1=R?AOI1=R has no effect unless AOI= is coded on the TRANSACT macro.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
162
161
SMU Conversion FAQs14) What user ID is used for AO application programs when AOI=YES in the TRANSACT
macro?If the AOI program is MPP or IFP and a message GU call has completed, the user ID isthe user at the signedon terminal or the LTERM name of the signedoff terminal wherethe transaction is issued. If GU is not issued, PSB name is used.If the AOI program is a BMP, and a message GU call has completed, the user ID is theuser of a signedon terminal or the LTERM name of the signedoff terminal where thetransaction is issued. If GU is not issued or if the BMP is nonmessage driven, the valueof the USER parameter specified on the JCL JOB statement is used. If the USERparameter is Not specified, a user ID of 0000000 is used.If the AOI program is a DRA THREAD, the security token that is passed in the PAPL fora schedule request is used to determine whether the user can issue command calls.
15) How can I convert SMU LTERM security to RACF transaction authorization fortransactions coming over an ISC link from a device that is unable to sign on?One possible approach: if sign on is not required, then the IMS control region user ID isUsed when IMS calls RACF. If the IMS control region user ID is authorized, then theTransaction Authorization Exit (DFSCTRN0) will be called for further checking. If theISC transaction makes a CHNG call, IMS will use the LTERM name as the user ID andtry to create an ACEE for it. You could create a user ID for the LTERM name or use theSecurity Reverification Exit (DFSCTSE0) to override the RACF failure.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
163
162
Hints and Tips1) If you change the RCF parameter, a COLD start is required for the change to take effect.2) If you protect the RECONs in RACF, be sure users have authorization to all 3 RECON
datasets. If the VSAM open for either RECON1 or RECON2 fails because of a RACFsecurity violation, IMS interprets the open failure as an I/O error and discards thatRECON dataset
3) Opening a VSAM dataset for update requires CONTROL access in RACF (for CI splitprocessing)
4) If you change the RCLASS and request RACF security, be sure you have defined yournew C,T,I,L classes in the RACF CDT and ACTIVATEd them in RACF before you startIMS. If required classes are not defined, IMS will abend at initialization with a U0166abend. You don’t have to define any resource profiles in the classes but the classesmust be defined to RACF in the CDT. If you don’t define the F,S,O,P classes, IMS willissue informational msg DFS2466I but not abend. (Application programs may not beable to do AUTH calls.)
5) In IMSV9, all IMS jobs, utilities and subsystems in which DBRC is active requireCONTROL access to the RECONs. IMSV10 provides the option of opening RECON forreadonly access
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
164
163
Hints and Tips6) CMDMCS guides the authorization of IMS commands that originate from MCS
consoles. If CMDMCS=R, the userid of the MCS console is checked by RACF beforeallowing the command. If the command is a DBRC command (/RMx) and the /RMxcommand is authorized by the CMDMCS RACF check, then the DBRC security checkis not done.
7) /RM commands are automatically authorized if they come from the MVS console orthe IMS master. No DBRC security check is done.
8) When either the AOIS or CMDMCS startup values indicate that DFSCCMDO(Command Authorization Exit) is to be invoked, DFSCCMD0 must be included in theIMS system or IMS abends with a U0718 at initialization.
9) An input message going from front end IMS to back end IMS includes the user ID andgroup name. If transaction authorization is activated on the BE and the applicationissues a CHNG call, IMS calls RACF to create an ACEE based on the user ID andgroup name that was passed from the FE in the IOPCB. If the BE uses a differentRACF database, the user must be attached to the same RACF group on the BE as heis on the FE or authorization on the BE will fail: INVALID GROUP. If RACF databaseis not shared, recommend keeping them in synch.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
165
164
Hints and Tips10) If SIGNON=SPECIFIC in DFSDC then NOSIGNON will be default for all static
terminals11) Console and Master are never required to sign on and not impacted by STERM ALL or
SIGNON=ALL12) IMS bypasses the RACF check for commands from the system console and MTO.
Transactions from the system console are handled the same as transactions comingfrom any static terminal. This means sign on may be required for transactions.
13) RACF does not have to be enabled for every type of input source. For example, it’s okto say RCF=N and ISIS=R to have RACF RAS security but no RACF security forcommands or transactions from SNA terminal users.
14) ODBA (e.g. DB2 stored procedures) can be secured using APSB security by specifyingODBASE=Y (and RACF turned on) or you can use RAS security by specifying ISIS=R.If both ODBASE and ISIS are specified, ODBASE will be used for ODBA.
15) You can do an IMSGEN with TRANEX specified and not have a TransactionAuthorization exit. There will be an unresolved reference for DFSCTRN0. If this exit islater added, you need to relink the IMS Nucleus (DFSVNUCx) to pick up the exit.Copying the exit to RESLIB is not enough.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
166
165
Hints and Tips16) An AOI program issuing an unauthorized CMD call will receive a CD status code.17) Any time IMS issues a RACROUTE that results in an update of the RACF database, it
causes an exclusive enqueue on the data set. For example, /SIGN with NEWPW andVERIFY.
18) To find out if more than one profile protects a particular resource, issue the RLISTcommand with the RESGROUP operand.For example: RLIST CIMS EXI RESGROUPRLIST RESGROUP does not support generic matches. If you define a profile and usegeneric characters such as (*) to add members to the profile, RLIST RESGROUP willnot return any of the matching profiles in its output.For example,RDEF GIMS GIMSGRP ADDMEM(ABC*)RLIST GIMS ABCD RESGROUPABC* will not appear in the RLIST output.
19) If you have no STERM statements then DFSISMP0 (SMU utility) will not produce anew version of member DFSISSOx. If there is an existing DFSISSOx in the MATRIXdataset, the utility will not delete it. You need to remove the member yourself bydeleting or renaming it. This applies to any of the MATRIX dataset members when allof their corresponding control statements have been removed from SMU.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
167
166
Hints and Tips20) Sample approach to replace LTERM security for an ISC link that doesn’t sign on: If
signon is not required, then the CTL region user ID is used on the FASTAUTH againstthe transaction name. You could then use the DFSCTRN0 exit to check security. If theISC transaction subsequently makes a CHNG call, IMS will use the LTERM name asthe user ID and try to create an ACEE for it. You could create user IDs for the LTERMnames or use DFSCTSE0 to override the RACF failure.
21) If you implement TCORACF security you need a /SIGN ON in the TCO script with auser ID and password. This will create an ACEE for the TCO user ID to authorizetransactions and commands issued by the script. If you put a /SIGN OFF in the script,the ACEE will be deleted and any timeinitiated commands or transactions scheduledto execute at a later time will fail the RACF check. Recommend you do not /SIGN OFF
22) If RACF security is specified for transactions from static terminals, and if theSECURITY macro specifies TERMNL=YES/FORCE or PASSWD=YES/FORCE, thenIMS will do both RACF and SMU security checks for transactions from static terminals.The SMU checks will be done after the RACF checks are done. During your SMUmigration, if you removed TERMINAL statements from your SMU but did not setTERMNL=NO, static terminal users can receive SMU security violations even thoughthey are authorized by RACF. This only applies to transactions, not commands
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
168
167
Hints and Tips23) RACF always uses the most specific (discrete) profile it can find for the resource.
Be aware of things like this:RDEF FACILITY PROD.LIST.DB.* UACC(NONE)PERMIT PROD.LIST.DB.* CLASS(FACILITY) ID(JONES) ACCESS(READ)RDEF FACILITY PROD.LIST.DB.AAA UACC(NONE)PERMIT PROD.LIST.DB.AAA CLASS(FACILITY) ID(SANCHEZ)ACCESS(READ)• Jones cannot do LIST.DB DBD(AAA)but Jones can list database AAA by using LIST.DB ALL
Be aware of things like this:RDEF TIMS ** UACC(NONE)PERMIT ** CLASS(TIMS) ID(JONES) ACCESS(READ)RDEF TIMS ADDINV UACC(NONE)PERMIT ADDINV CLASS(TIMS) ID(SANCHEZ)Jones cannot access ADDINV transaction.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
169
168
Hints and Tips24) If USER1 is in the access list of the generic ** profile and there is another
access list for a specific member of that same class then USER1 will nothave access to that specific member.For example:PE ** CLASS(CIMS) ID(MAIDA) ACCESS(READ)PE DIS CLASS(CIMS) ID(JAMES) ACCESS(READ)results in MAIDA having access to all commands except /DIS.
25) In IMSV10, ISIS=0,1,2 are ignored and ISIS will default to the TYPEspecification on the SECURITY macro for RAS security.
26) AGN coded on procedures is valid for compatibility but ignored.27) RACF ALTER access is required to extend database datasets to new
candidate volumes.28) If you activate RAS security, then every dependent region will need to be
authorized to the IMSid protected in the APPL class.29) CIMS resource names must be the first 3 characters of the IMS command.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
170
169
Hints and Tips30) If sign on is not required and the user does not sign on, RACF uses the ACEE of the
“default environment” for authorization. (ETO terminals are always required to signon.) The “default environment” could be the IMS control region or it could be thedependent region.
31) With TERMNL=YES specified on the SECURITY macro, IMS expects to be able toload the MATRIX dataset member that contains SMU TERMINAL statements. WithPASSWORD=YES specified on the SECURITY macro, IMS expects to be able to loadthe MATRIX member that contains PASSWORD statements. If you remove allTERMINAL and/or PASSWORD statements from SMU and you have TERMNL=YESand/or PASSWORD=YES specified on the SECURITY macro, IMS will issue theDFS171A msg at initialization. This is informational and IMS will still come up.
32) When no command security is specified for a given input source, you will get defaultsecurity for commands entered from source. For example, if you set up RACFcommand authorization to allow /DIS from terminals, but you did not specify a valuefor APPCSE, then the default security for APPC allows only /BROADCAST, /LOG,/RDISPLAY and /RMLIST commands and the /DIS command will not be acceptedfrom an APPC device.
33) Default security only applies to commands, not transactions.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
171
170
Hints and Tips34) Unless you have RACF configured for SYSPLEX communication,
a SETR RACLIST(TIMS) REFRESH on SYSA is not propagated toSYSB. You have to issue the same command on SYSB as well.
35) You might have to recycle IMS to grant new dataset access. If new access is given toa GROUP and IMS was not previously connected to that GROUP, then IMS will needto be recycled. If the access was given to IMS or a GROUP IMS was alreadyconnected to, then refreshing the profile should be enough. If the profile is generic,thenSETROPTS REFRESH GENERIC(DATASET) needs to be issued.You don’t have to recycle IMS for RACF resource profiles changes to take effect. Youonly need to refresh the RACF dataspace by issuingSETR RACLIST(classname) REFRESHClassname should always be the member class (e.g. CIMS), not the grouping class(e.g. DIMS).
36) When you have class pairs of MEMBER and GROUP types, allaction items (other than changing profiles) are against the MEMBERclass.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
172
171
Hints and Tips37) The ** (G) profile covers all resources NOT already defined in the class.
For example, RDEF CIMS ** UACC(NONE) covers all commands that do not havetheir own profile in CIMS or a DIMS group.RACF looks for:a) Discrete CIMS profile (merged with information from DIMS classand the ADDMEMs referenced in DIMS profiles as matches for the CIMS profiles) anduse the most restrictiveb) If no discrete CIMS profile is found but there are CIMS or DIMS generic profilesthen the "best" or most accurate match is used.c) Finally, the ** (G) profile covers all other IMS commands notalready defined in the CIMS as either DISCRETE or GENERIC.
This final profile is often called the backstop or profile of last resort
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
173
172
Hints and Tips38) Member classes and Grouping class definitions are merged when RACLISTed. IMS
authorization calls are made against the member class. When there are “conflicts”,the most restrictive definition is used.
39) If a resource name appears in more than one resource group and/or has a discreteprofile of its own with conflicting UACCs, RACF chooses the most restrictive UACC.If a user is in more than one access list for the same resource, the information ismerged and the most permissive (least restrictive) ACCESS is used.(see z/OS: Security Server RACF Security Administrator's Guide: Resolving Conflictsamong Multiple Profiles)Be aware of things like this:RDEF DIMS DBAGROUP(ADDMEM DBR) UACC NONERDEF DIMS SYSPROG(ADDMEM DBR) UACC NONEPE DBAGROUP CLASS(DIMS) ID(JOE) ACCESS(NONE)PE SYSPROG CLASS(DIMS) ID(JOE) ACCESS(READ)After the merge, JOE has READ access to the /DBR command.
40) The /SIGN and /RCLDST commands are the only commands that an ETO terminalcan enter before it signs on. RACF is not called to authorize these commands.
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com