Imssecurityusingracf 100929123132 Phpapp02

PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Part 1: IMS SECURITY BASICS Part 2: SMU CONVERSION

Maida Snapper, IMS Specialist, IBM maidalee@us.ibm.com
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Disclaimer
Copyright IBM Corporation [current year]. All rights reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED AS ISWITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING ANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCTS AND/OR SOFTWARE.
IBM, the IBM logo, ibm.com, DB2, CICS, RACF and IMS are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark informationat www.ibm.com/legal/copytrade.shtml Other company, product, or service names may be trademarks or service marks of others.
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Click to edit Master title style
PART 1: SECURITY BASICS
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Develop an IMS Security Strategy

Which IMS resources need protection What protection do they need Who can access them What security facilities will be used
There is often more than one way to protect a given resource.
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Which Resources Need Protection

IMS application (CTL, DL/I, etc) Transactions Commands Terminals PSBs Datasets Databases (records, fields, segments) Dependent regions and connection threads Coupling Facility structures IMSPlex XCF group
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities
IMS default security Program Specification Block (PSB) Encryption VSAM password protection Application-based security Physical security RACF (or other SAF product) Exits
5
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities IMS Default Security

IMS default security Exits Program Specification Block (PSB) Encryption VSAM password protection Application-based security Physical security RACF (or other SAF product)
6
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities - IMS Default Security

Limits commands from sources other than IMS Master and TCO Applies only to IMS type-1 commands Is based on command source of entry Is what you get when you do not specify a command security option for commands entered from that source Is not optional can only be deactivated by specifying command security for commands entered from that source
IMS V10 Command Reference Volume 1

7
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

Commands allowed by default when static or ETO terminal is the source of entry: /BROADCAST /CANCEL /DIAGNOSE /END /EXCLUSIVE /EXIT /FORMAT /HOLD /IAM /LOCK /LOG /LOOPTEST /RCLDST /RCOMPT /RDISPLAY /RELEASE /RESET /RMLIST /SET /SIGN /TEST /UNLOCK
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

Commands allowed by default when OTMA is the source of command entry: /LOCK /LOG /RDISPLAY
10
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

Commands allowed by default when LU6.2 is the source of command entry: /BROADCAST /LOCK /LOG /RDISPLAY /RMLIST
10
11
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities - IMS Default Security

EXAMPLE RCF=A APPCSE=N RDEF CIMS DIS UACC(READ) Result: /DIS from 3270-type terminals is accepted /DIS from LU6.2 over APPC is a security violation
11
12
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities PSB

12
13
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities PSB

PSB (Program Specification Block) provides database security Data sensitivity (SENSEG, SENFLD) describes application view of database Processing options (PROCOPT) define what application can do (e.g. read or update) PSB should be coded to facilitate security requirements Define only the segments and fields needed Use only the processing option needed PSB is a trusted resource IMS makes no security calls for hard coded resources in a PSB A user authorized to submit a transaction using the PSB is also authorized to submit a transaction to a destination hard coded in the alternate PCB.
13
14
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities - Encryption

14
15
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities Encryption

Database encryption may be performed by zSeries and S/390 Crypto Hardware features z/OS Cryptographic Services Integrated Cryptographic Service Facility (ICSF), a component of z/OS Cryptographic Services, is the software interface to the crypto hardware Segment Edit/Compression Exit Routine (DFSCMPX0) can invoke user supplied encryption routine can call ICSF or other product can invoke IBM Data Encryption for IMS and DB2 Databases tool (5655-P03) can be different for each segment
15
16
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Encryption
Data Encryption for DB2 and IMS Databases tool:
requires the IBM optional Crypto Express2 (CEX2) hardware feature requires ICSF, the software interface to the crypto hardware requires the standard CP Assist for Crypto Function (CPACF) be enabled and active if the clear key exit is used is recommended over roll your own solutions as extensive testing has been done to ensure the product works with all the product interfaces requires no changes to applications, just a change to DBD to define the exit routine
16
17
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

Sample PAYROLL Database
NAME ADDRESS PAYROLL
SEGM ,COMPRTN=(routinename,DATA,INIT,MAX)
17
18
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

Sample DBD For Payroll Database
DBD NAME=PAYROLDB,ACCESS=HISAM DATASET DD1=PAYROLL,OVFLW=PAYROLOV, SEGM FIELD FIELD FIELD NAME=NAME,BYTES=150,FREQ=1000,PARENT=0 NAME=(EMPLOYEE,SEQ,U),BYTES=60,START=1,TYPE=C NAME=MANNBR,BYTES=15,START=61,TYPE=C NAME=ADDR,BYTES=75,START=76,TYPE=C
SEGM NAME=ADDRESS,BYTES=200,FREQ=2,PARENT=NAME FIELD NAME=HOMEADDR,BYTES=100,START=1,TYPE=C FIELD NAME=COMAILOC,BYTES=100,START=101,TYPE=C SEGM NAME=PAYROLL,BYTES=100,FREQ=1,PARENT=NAME,COMPRTN=(DFSCMPX0,DATA,INIT,MAX) FIELD NAME=HOURS,BYTES=15,START=51,TYPE=P FIELD NAME=BASICPAY,BYTES=15,START=1,TYPE=P DBDGEN FINISH END
18
19
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities VSAM Password Protection

19
20
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities - VSAM Password Protection

VSAM password protection for IMS databases in batch environments prevents accidental access of IMS databases by non-IMS programs used in conjunction with VSAM CONTROLPW specification on VSAM DEFINE statements specify PASSWD=YES/NO on DBD ignored in IMS Online (DB/DC) environment
20
21
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
PASSWD=NO on DBD statement is the default specifies that the DBDNAME for this DBD should not be used as the VSAM password in IMS Batch, causes operator to be prompted for password each time data set opened
21
22
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

PASSWD=YES on DBD statement DL/I open uses DBDNAME as the VSAM password for each dataset all datasets for the DBD must use same password CONTROLPW or MASTERPW password on VSAM DEFINE must be the same as DBDNAME for the DBD invalid for ACCESS=LOGICAL, MSDB, DEDB
22
23
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities Application-based security

23
24
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities - Application-based security

Application program can perform its own security checks Security rules could be stored in Internal table in program Database RACF Application program can access RACF info with DL/I AUTH call Database Field Segment Other Application program grants or denies resource access based on USERID of the user who entered the transaction
24
25
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities Physical Security

25
26
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities Physical Security
26
27
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities - RACF

27
28
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Setting Up RACF
Create Resource Class descriptions in Class Descriptor Table (CDT) e.g. TIMS, CIMS, or installation defined Make sure IMS Resource Classes are activated in RACF Populate the RACF database Create group & user profiles Define groups Define users Connect users to groups Create resource profiles Define a profile in the appropriate class for each resource to be secured Create access lists Permit groups | users to access resource
28
29
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Resource Class

Collection of profiles with similar characteristics Defined in Class Descriptor Table (CDT) Can be defined dynamically Maximum 1024 Two types of resource classes Member class example, CIMS: one profile protects one command Grouping class example, DIMS: one profile protects several commands
29
30
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Resource Class

Example of some resource classes delivered with RACF: TIMS CIMS IIMS LIMS
30
31
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Resource Class

RACF default resource classes used exclusively by IMS (RCLASS=IMS)
CIMS | DIMS TIMS | GIMS IIMS | JIMS LIMS | MIMS AIMS RIMS FIMS | HIMS SIMS | UIMS IIMS | WIMS PIMS | QIMS Commands (first 3 characters of command) Transactions (trancode) Program Specification Blocks (PSBs) Logical terminals (LTERM) APSB (Allocate PSB) for CPIC-PSB and ODBA asynch hold queues for RESUME TPIPE call Database fields (for AUTH calls) Database segments (for AUTH calls) Other (information in RACF for AUTH calls) Databases (for AUTH call)
31
32
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Resource Class

RACF resource classes not exclusive to IMS
TERMINAL | GTERMINL APPL VTAMAPPL APPCPORT APPCLU APPCTP DATASET FACILITY OPERCMDS STARTED
32
33
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Resource Class

Example of some installation-defined resource classes when RCLASS=IMSTEST: TIMSTEST CIMSTEST IIMSTEST LIMSTEST
33
34
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Resource Class

RCLASS specification in IMS = 1-7 alphanumerics define on SECURITY macro override in DFSDCxxx default = IMS Different RCLASS can be used to define different RACF rules for different IMS systems sharing one RACF database example 1: RCLASS=IMSTEST example 2: RCLASS=imsid Define each new resource class in Class Descriptor Table (CDT) Activate resource classes in RACF SETR CLASSACT(classname)
34
35
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Resource Class

Class Descriptor Table (CDT)
entries can be defined statically (IPL) or dynamically (no IPL)
maximum 1024 entries 256 defined by IBM 768 can be installation-defined loaded at IPL by merging static, then dynamic class descriptors dynamic entry will replace static of the same name if merge reaches 1024, RACF warns entries are being ignored CDT processes a paired member and grouping class together. Updating the RACF Router Table for new resource classes not required
Supplied CDT entries are documented in Appendix C of the z/OS Security Server RACF Macros and Interfaces
35
36
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Populate the RACF Database

Consists of profiles Group profile Defines group name, group authority, subgroup, ... User profile Defines individual user ID, password, user attributes, connect groups, ... Resource profile Defines security requirements for a resource
Defines Universal Access Defines authorized users/groups (access list)
36
37
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF GROUP and USER Profiles

Example of defining group and user profiles (Not all required parameters shown here)
ADDGROUP IMSGRP4 . ADDGROUP DBAGRP . ADDUSER IMSUS99 NAME(BILL) PASSWORD(IMSPW99) DFLTGRP(IMSGRP4) CONNECT IMSUS99 GROUP(IMSGRP4) . CONNECT IMSUS99 GROUP(DBAGRP) .
37
38
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF GROUP and USER Profiles
When IMS resources are protected by RACF IMS needs a user ID DLI/SAS needs a user ID Dependent region may need a user ID The user IDs are needed for Access to system resources and data sets For example, System dump data set Access to IMS protected data sets For example, IMS RECON or RESLIB Access to IMS resources as the default user ID User IDs can be created using RACF STARTED class
38
39
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Resource Profiles
Discrete profile protects a singular resource fully qualified profile name Generic profile protects one or more resources of the same type profile contains generic (wildcard) characters SETR GENERIC(classname) to enable generics Fully-qualified generic profile used only by the DATASET resource class used to retain profile when dataset deleted if multiple profiles exist for a resource, RACF uses the most specific
39
40
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

Define a RACF resource profile RDEFINE | RDEF class-name profile-name UACC(access-authority) class-name is the RACF resource class profile-name is the IMS resource name UACC is the universal access authority
Examples: RDEFINE TIMS IMSTRANA UACC(READ) RDEFINE TIMS IMSTRAN* UACC(NONE) RDEFINE CIMS DIS UACC(READ) RDEFINE DIMS DBACMDS UACC(NONE) ADDMEM(STO,STA,DBR)
z/OS Security Server RACF Command Language Reference Appendix A. Naming Considerations for Resource Profiles. 40
41
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Resource Profiles RDEFINE CIMS DIS UACC(READ) RDEFINE DIMS DBACMDS ADDMEM(STO,STA,DIS) UACC(NONE)
41
42
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

IMS resource RACF class name
TIMS / GIMS CIMS / DIMS IIMS / JIMS LIMS / MIMS FACILITY OPERCMDS FACILITY APPL FACILITY DATASET
RACF member class profile name

transaction name first 3 characters of command psb name lterm name safhlq.command_verb.qualifier.modifier
IMS.plxname.command_verb.command_keyword
Transaction Command (type 1) PSB LTERM DBRC command OM command CF structures IMS Control Region IMSPlex (CSL) Dataset
CQSSTR.structure_name IXLSTR.structure_name imsid CSL.imsplexname
or
XCF grp (Client bid) FACILITY
IMSXCF.groupname.membername dataset name

42
43
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

Universal Access Authority (UACC) Can be any one of the following NONE, READ, EXECUTE, UPDATE, CONTROL, ALTER READ is required for most IMS resources UPDATE is required for Some Type 2 commands CQS access to CF structures (SMQ and RM) Registering with SCI to join an IMSplex CONTROL is required for VSAM datasets open for update IMSV10 gives option to open RECON for READ
43
44
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Access Lists

Add an access list to a resource profile PERMIT | PE profile-name CLASS(class-name) ID(userid(s) and/or group-name(s)) ACCESS(access-authority) Examples: PERMIT IMSTRAN* CLASS(TIMS) ID(GROUPA JOE) ACCESS(READ) PERMIT STO CLASS(CIMS) ID(NANCY DBAGRP) ACCESS(READ) WHEN(TERMINAL(terminal-id ...))
44
45
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Access Lists

User or Group Access Authority (ACCESS) can be: NONE READ EXECUTE UPDATE CONTROL (for VSAM) ALTER Maximum entries in the access list of a profile is 5957 access list of each profile is limited to 65535 bytes each user or group in the access list uses 11 bytes
45
46
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Access Lists

Associated with resource profiles Define access authorities of GROUPs and USERs
Resource DIS
Resource Class CIMS
Group or Userid GROUPY STILWELL CM431GP
Access Level READ NONE READ
Profile Owner IMSADMIN
UACC NONE
46
47
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Making RACF Security Changes Online

To update RACF security definition update the RACF database refresh the RACF data space from the database by issuing
SETROPTS RACLIST(classname) REFRESH
RACF refreshes all classes with the same CDT POSIT value as classname specify the member classname not the grouping classname for example, specify CIMS not DIMS REFRESH must be entered on all members of a SYSPLEX unless RACF is configured for SYSPLEX communication
47
48
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
How IMS Talks to SAF

When IMS initializes IMS calls RACF to load IMS resource profiles into a data space (RACLIST) RACROUTE REQUEST=LIST,GLOBAL=YES DATASET, Group and User profiles are not eligible for data space RACF builds ACEE for IMS user ID When a user signs on to IMS IMS calls RACF for sign on verification RACROUTE REQUEST=VERIFY,ENVIR=CREATE,ACEE=addr .. IMS passes USERID,GROUP,PASSWRD,TERMID,APPL RACF verifies user ID, password, TERMINAL, APPL RACF builds ACEE RACF returns ACEE address and return code to IMS
z/OS Security Server RACF RACROUTE Macro Reference
48
49
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

When a user accesses a resource IMS calls RACF to check authorization RACROUTE REQUEST=FASTAUTH IMS passes ACEE,CLASS,ENTITY,ATTR Example: RACROUTE REQUEST=FASTAUTH, ACEE=addr,CLASS=CIMS,ENTITY=DIS,ATTR=READ RACF sends return code to IMS 0 user is authorized 4 resource has no profile 8 user is not authorized IMS grants access if 0 or 4 If return code 8, IMS calls RACF for audit logging RACROUTE REQUEST=AUTH with parameters similar to FASTAUTH RACF checks authorization and logs violation messages
49
50
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

When a user signs off IMS calls RACF to delete the user s ACEE RACROUTE REQUEST=VERIFY,ENVIR=DELETE,ACEE=addr RACF deletes user s ACEE When IMS terminates IMS calls RACF to deregister interest in the resource classes RACROUTE REQUEST=VERIFY,ENVIR=DELETE,ACEE=addr .. RACF deletes the ACEE for IMS user ID GLOBAL=YES data spaces are not deleted
50
51
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

Accessor Environment Element (ACEE) Constructed by RACF when user signs on Deleted when user signs off Contains a description of the user s security environment User ID Current connect group User attributes Group authorities
ACEE documented in z/OS IBM Security Server RACF Data Areas
51
52
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Summary of RACF Commands

Adding profiles: ADDUSER add user profile (AU) ADDGRP add group profile (AG) ADDSD add dataset profile (AD) CONNECT to associate USER with GROUP RDEFINE define profile for general resource class (RDEF) RALTER to make changes to profile Creating access lists to allow access to resources PERMIT define resource access list (PE) Set RACF options: SETROPTS (SETR) CLASSACT activate the resource class RACLIST populate the dataspace GENERIC allow generic resource checking REFRESH refresh the dataspace
52
53
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF in WARNING Mode for Migration

To ease migration you can specify WARNING in the resource profile definition (RDEF) in WARNING mode you can audit access attempts: RACF records each access attempt if user not authorized, RACF allows access and sends ICH408I if notify user is specified in resource profile, RACF also sends warning message to the user
53
54
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities - Exits

54
55
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities Exits

Sign on/off verification DFSCSGN0 DFSSGNX0 DFSSGFX0 Transaction authorization DFSCTRN0 DFSCTSE0 (reverify) DFSBSEX0 (build security env) Command authorization DFSCCMD0 DSPDCAX0 (DBRC) OM user exits RAS (dependent region/thread) DFSRAS00 Other OTMA exits DFSTCNT0 (TCO) DFSCMPX0 (encryption) DFSFLGE0 (log edit) KBLA scrub
55
IMS V10 Exit Routine Reference
56
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities Exits

DFSCTRN0 is generally not invoked unless RACF return code is 0 or 4 DFSCTSE0 (reverification entry point of DFSCTRN0) is always invoked for CHNG, AUTH calls no matter what the RACF return code is. When DFSCCMD0 cannot be explicitly requested (e.g. APPCSE), it is invoked if it exists no matter what the RACF return code is
DFSBSEX0 was offered to improve performance; allows you to control if and when a security environment is dynamically built in cases where it does not exist ( back endIMS, or user has signed off, for example) Exits can be used to do more granular checking than RACF may offer
56
57
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
How to Specify the Security Facility You Want
57
58
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Tell IMS What Security To Use

IMSGEN macros (COMM) (IMSGEN) SECURITY LINE TERMINAL TRANSACT TYPE Override IMSGEN macros with IMS execution parameters in JCL or PROCLIB Override JCL or PROCLIB with IMS commands /NRE and /ERE /SECURE /SET
58
59
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Macro IMS V9

IMS V9 SECURITY macro specifies security options for IMS resources SMU security options Other non-SMU security options, such as RACF and/or exit routine options
SECURITY PASSWD= TERMNL= NO NO YES YES YES 1 FORCE FORCE FORCE 2 3
TRANCMD= NO SECCNT= 0
RCLASS= SECLVL= TYPE=

59
60
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Macro IMS V10

IMS V10 SECURITY macro specifies RACF and/or EXIT security options
SECURITY
TRANCMD= NO SECCNT= 0
YES 1
FORCE 2 3
RCLASS= SECLVL= TYPE=

60
61
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Macro
SECLVL= transaction authorization / signon verification TYPE= RACF and/or EXITS choose one from each column
NORAS RASRACF RASEXIT RAS NORACTRM RACFTERM NOTRANEX TRANEXIT NOSIGNEX SIGNEXIT NORACFCM RACFCOM
61
62
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IMS DB/DC Security Options

DFSPBxxx These override SECURITY macro TRN = SGN = ISIS = RCF = AOI1 = Transaction authorization option Sign on authorization option Resource Access security RACF security option(s) TRANCMD security option (TYPE 1 AOI)
62
63
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Sign On Verification (SGN) DFSPBxxx

SGN= overrides and augments SECURITY macro SECLVL
N specifies that the signon verification function is not in effect Y specifies that the signon verification function is to be activated F same as Y except the MTO cannot negate the activation of the signon verification function. M single userid can sign on to multiple terminals (does not activate signon verification) Z=Y+M G =F+M
63
64
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Transaction Authorization (TRN) DFSPBxxx

TRN= overrides SECURITY macro SECLVL N Transaction authorization is inactive for this execution of IMS. Can be activated on /NRE or /ERE COLDSYS Y Transaction authorization is active for this execution of IMS Can be deactivated on /NRE or /ERE COLDSYS F Same as Y Cannot be deactivated on /NRE or /ERE COLDSYS
64
65
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Authorization (RCF) DFSPBxxx

RCF= overrides and augments SECURITY macro TYPE
N do not call RACF for signon verification, transaction or command authorization for input from static or ETO terminals C call RACF to authorize commands entered from ETO terminals S call RACF to authorize commands entered from both static and ETO terminals T call RACF for signon verification and transaction authorization Y call RACF for sign on verification, transaction authorization and command authorization for commands entered from ETO devices A call RACF for sign on verification, transaction authorization and command authorization for commands entered from both static and ETO devices
65
66
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
More IMS DB/DC Security Options

DFSPBxxx
These have no equivalent on SECURITY macro AOIS = CMDMCS = ODBASE = APPCSE = OTMASE = TCORACF = RVFY = RCFTCB = ALOT = ASOT = ICMD security option (TYPE 2 AOI) MCS/E-MCS command option ODBA security option APPC security option OTMA security option TCO RACF command authorization security option RACF reverify option Number of RACF TCBs automatic logoff for ETO automatic signoff for ETO
66
67
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IMS DC Security Options

DFSDCxxx
These override SECURITY macro

RCLASS
1-7 char suffix for RACF IMS resource classes
These have no equivalent on SECURITY macro

BMPUSID MSCSEC LOCKSEC SIGNON SAPPLID
67
68
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Operations Manager Security Options

CSLOIxx (Operations Manager PROCLIB)
CMDSEC = security option for all commands routed through Operations Manager (OM)
DFSCGxxx (IMS PROCLIB)

CMDSEC = security option for Type 1 commands routed through Operations Manager (OM)
68
69
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IMS Security-related Log Records

Type X'10' Security violation has occurred Type X'16' Written at /SIGN ON and /SIGN OFF Contains Physical terminal identifier Userid IMS time stamp Contain userid for signed on user Types X'01' and x'5901' input message Types X'03' and x'5903' output message Types X'50', X'51', X'52' and X'5950' database change records
69
70
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Putting It All Together
70
71
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Factors Affecting Security

The security in force is determined by ... IMS system definition IMS JCL overrides IMS PROCLIB overrides DFSPBxxx DFSDCxxx CSLOIxxx DFSCGxxx IMS commands and restart options Example: /SECURE APPC FULL Example: /NRE TRANAUTH Whether IMS was warm started or cold started Source of the input message RACF definitions Exits
71
72
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Protecting IMS Resources

IMS application (CTL, DL/I, etc) Transactions Commands Terminals PSBs Datasets Databases (records, fields, segments) Dependent regions and connection threads Coupling Facility structures IMSPlex
72
73
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Protecting IMS Resources
SOME EXAMPLES USING RACF
73
74
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Protecting the IMS Control Region

Example:
SETROPTS CLASSACT(APPL) RDEFINE APPL (IMSP,IMST) UACC(NONE) PERMIT IMSP CLASS(APPL) ID(GROUP1,GROUP2) ACCESS(READ) PERMIT IMST CLASS(APPL) ID(GROUPA,GROUPB) ACCESS(READ) PERMIT IMSP CLASS(APPL) ID(BILL) ACCESS(READ) WHEN(TERMINAL(NODE1,NODE2)) If RAS security is activated (ISIS=R): PERMIT IMSP CLASS(APPL) ID(IMSMPR1,IMSBMP1) ACCESS(READ)
SETR RACLIST(APPL) REFRESH

74
75
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Protecting DBRC Commands

Example: CHANGE.RECON CMDAUTH(SAF,PROD) RDEFINE FACILITY PROD.GENJCL.RECOV.AAA UACC(NONE) PERMIT PROD.GENJCL.RECOV.AAA CLASS(FACILITY) ID(JOE) ACCESS(READ) RDEFINE FACILITY PROD.GENJCL.RECOV.* UACC(NONE) PERMIT PROD.GENJCL.RECOV.* CLASS(FACILITY) ID(BILL) ACCESS(READ)
Complete list of resource names can be found in
IMS V10 System Administration Guide Table 28 IMS V9 DBRC Guide and Reference Appendix C
75
76
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Protecting OM Commands
CMDSEC=R RDEFINE OPERCMDS IMS.CSLPLX0.UPD.TRAN UACC(NONE) PERMIT IMS.CSLPLX0.UPD.TRAN CLASS(OPERCMDS) ID(LONNIE) ACCESS(UPDATE) RDEFINE OPERCMDS IMS.CSLPLX0.STO.DB UACC(NONE) PERMIT IMS.CSLPLX0.STO.DB CLASS(OPERCMDS) ID(ALAN) ACCESS(UPDATE) RDEFINE OPERCMDS IMS.CSLPLX1.UPD.TRAN UACC(NONE) RDEFINE OPERCMDS IMS.*.QRY.* UACC(NONE) PERMIT IMS.*.QRY.* CLASS(OPERCMDS) ID(KENNY) ACCESS(READ)
Complete list of resource names can be found in
IMS V10 IMSPLEX Administration Guide Table 8 IMS V9 Command Reference Appendix I Resource Names Table
76
77
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Protecting CF Structures
RDEF FACILITY CQSSTR.IMSP_MSGQ1 UACC(NONE) PE CQSSTR.IMSP_MSGQ1 CLASS(FACILITY) ID(IMSP) ACCESS(UPDATE) RDEFINE FACILITY IXLSTR.IMSP_MSGQ1 UACC(NONE) PERMIT IXLSTR.IMSP_MSGQ1 CLASS(FACILITY) ID(IMSP) ACCESS(UPDATE) RDEFINE FACILITY IXLSTR.IMSP_IMSIRLM UACC(NONE) PERMIT IXLSTR.IMSP_IMSIRLM CLASS(FACILITY) ID(IRLMP) ACCESS(UPDATE) SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY) REFRESH
77
78
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Protecting IMSPlex
ADDGROUP PLX0GRP ... ADDUSER OM1USER ... DFLTGRP(PLX0GRP) ADDUSER RM1USER ... DFLTGRP(PLX0GRP) ADDUSER CQS1USER ... DFLTGRP(PLX0GRP) ADDUSER IMS1USER ... DFLTGRP(PLX0GRP) ADDUSER ... (other address spaces needing access to SCI) RDEF STARTED OM1 STDATA(USER(OM1USER) GROUP(PLX0GRP) ... RDEF STARTED RM1 STDATA(USER(RM1USER) GROUP(PLX0GRP) ... RDEF ... (for each started task) RDEFINE FACILITY CSL.CSLPLX0 UACC(NONE) PERMIT CSL.CSLPLX0 CLASS(FACILITY) ID(PLX0GRP) ACCESS(UPDATE) SETROPTS CLASSACT(FACILITY) SETROPTS RACLIST(FACILITY)REFRESH
78
79
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Protecting IMS Data Sets

ADDSD ( IMSPROD.RESLIB , IMSPROD.PROCLIB , IMSPROD.ACBLIB ) UACC(NONE) AUDIT(ALL) OWNER(IMSADMIN) PERMIT IMSPROD.RESLIB ID(IMSP,MARY,TESTGRP) ACCESS(READ) PERMIT IMSPROD.RESLIB ID(SYSPROG,HENRY) ACCESS(UPDATE)
79
80
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
PART 2: SMU CONVERSION
80
81
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SMU Migration
81
82
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
IMS V10 SMU Support Removed

IMS V10 removes SMU and SMU components
The Security Maintenance Utility Application Group Name Exit Routine (DFSISIS0) IMS.MATRIXx data sets
Primary consideration
If migration from SMU to SAF/RACF has not already been done, migration to IMS V10 will also need to include migration from SMU to SAF/RACF
SMU to RACF Security
Page 82
83
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
IMS V10 SMU Removal

Any SMU parameters in System Generation macros will be ignored
COMM, IMSGEN, SECURITY macros
Utilities
SMU Utility no longer supported Online Change Utility ignores MATRIX dataset DD cards
Execution parameters
e.g. AGN, ISIS, AOI1, MSCSEC, SGN, etc Ignored if request SMU Some parameters are no longer documented, but are ignored when specified Defaults changed where previous default was SMU
Commands that requireSMU are rejected

e.g. /CHANGE PASSWORD
SMU to RACF Security Page 83
84
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
SMU Compared with RACF Security (Before IMS V10)

The basic command and transaction security is available with either SMU or RACF
SMU authorizes the LTERM to use a transaction/command RACF authorizes the USERID to use a transaction/command
SMU keeps its security definitions in a matrix

Who can do what What can be done by whom
RACF keeps security definitions in user profiles which describe allowed access to defined resources
Resources defined in RACF Resource Classes for example: Transactions TIMS class (or groups of transactions in GIMS class) Commands - CIMS class (or groups of commands in DIMS class)
Page 84
85
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
RACF Security Before IMS Version 9

Most IMS security could be implemented with RACF
Sign-On user validation and verification Check user is known Check password is correct Terminal Security User v. physical terminal IMS System Access Security User v. IMS ID Transaction Security User v. Trancode Command Security User v. IMS Command in Control Region User v. IMS Command in Operations Manager AOI Type2 ICMD Call Security User v. IMS Command IMS Data Set Access Security Controls access to DBs and system datasets DB Data Access Security used with DL/1 AUTH call User v. DB Record User v. Segment User v. Field PSB Access Security - For ODBA and CPI-C User v. PSBname Connection Access Control IMS Connect, CQS, CSL address spaces, etc
Page 85
86
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Security Enhancements in IMS V9/V10

Version 9 introduced enhancements to IMS and the RACF interface to support these remaining functions that required SMU in IMS V8:
1. 2. 3. 4. 5. 6. Application Group Name (AGN) security Type 1 Automated Operator Interface (AOI) Terminal security for Time-Controlled Operations (TCO) MSC link-receive security for non-directed routing /LOCK, /UNLOCK and /SET commands with passwords Static terminal Signon
IMS V9 Last release to support SMU
Page 86
87
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Resource Access Security (Replaces AGN Security)
Page 87
88
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Resource Access Security with SMU
Uses Application Group Name (AGN) security

IMS Version 9 was the last release to support AGN security
Objectives of AGN Security

Check at Program Scheduling Time that the resources involved (PSB, TRANcode, LTERM) are authorized to be used by the Dependent Region
Predominantly used for BMPs, but actually applies for all dependent regions and connecting threads (DRA/CCTL/ODBA)
Page 88
89
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
AGN Security Requirements

THREE Required Elements
1. AGN defined in SMU 4 A named group of 4 PSBs, Transaction Codes, LTERMnames 2. RACF (optional can alternatively use DFSISIS0 Exit) 4 Define AGN in AIMS resource class 4 Permit userids to use AGN 3. Dependent Region JCL must contain AGN=xxx execution parameter 4 Would also contain USERID
Page 89
90
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
AGN Security Checks

At Dependent Region Startup
AGN name (if specified in JCL) is authorized for use by Region s USERID RACF or DFSISIS0 (Resource Access Security Exit)
Mostly, in practice, AGN security is only used with BMPs
At Program Scheduling Time

Check (performed by SMU ) that required IMS resource(s) are in the AGN group for this region MPP / JMP : check TRAN in AGN* Message Driven BMP : check TRAN and PSB in AGN* NMD-BMP / IFP / JBP : check PSB in AGN NMD-BMP with OUT= : additionally check output LTERM / TRAN in AGN
Page 90
91
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Resource Access Security (RAS)

The old way - SMU and AGN ...
IMSA RACF
RACROUTE REQUEST=AUTH, CLASS=AIMS, ENTITY=AGN1 ...
BMP Example
Relies on AGN= being coded in JCL DATA SPACE
BMP1 Dependent Region
1B
2B
RACF
AGNX -MPP1 AGN2 -IFP1
1A
Start up JCL IMSID=IMSA, USER=BMP1, PASSWORD=PW, AGN=AGN1, RACF . IDENTIFY/CONNECT . . . SCHED PAYROLL
SMU AGN AGN1 TABLE AGN2
PAYROLL PSB5 PAYTRAN LTERM2 LT1234A9 LT47AZ50
AGNX TRANX LTERM1
1C
MPP1 IFP1
AGN1 -BMP1
Check
BMP1
USER1
2A
RACF
AIMS profiles and access lists
ACEEs
IMSP1
SMU Check
An alternative to the use of RACF is the use of the DFSISIS0 exit renamed to AGN Security Exit(one or the other is called, not both)
92
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Resource Access Security (RAS) with IMS V9/V10

The new way in IMS V9/V10
Provides direct RACF authorization checking at program scheduling time of Region Userid against IMS Resource (TRAN, PSB, LTERM)
Uses RACF security classes for PSBs and LTERMs IIMS: Program Specification Block (PSB) JIMS: Grouping class for PSB LIMS: Logical terminal (LTERM) MIMS: Grouping class for LTERM TIMS: Transaction (TRAN) GIMS: Grouping class for Transactions
PSBs in AIMS class are for ODBA and Explicit APPC use of APSB only
(further details will follow)
Page 92
93
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Enabling Resource Access Security in IMS V9/V10

New specifications in system definition
SECURITY ... TYPE = RASRACF | RASEXIT | RAS | NORAS | | NOAGN | RACFAGN | AGNEXIT
RASRACF = RAS security invokes RACF RASEXIT = RAS security invokes an IMS user exit (DFSRAS00) RAS = RAS security invokes RACF and user exit DFSRAS00 NORAS = No security (turns off both RAS and SMU)
Ignored in V10
New specifications during startup (DFSPBxxx exec parameter)

ISIS = N | R | C | A | 0 | 1 | 2
0/1/2 ignored in V10
N = No security (turns off both RAS and SMU) R = RAS security invokes RACF C = RAS security invokes an IMS user exit (DFSRAS00) A = RAS security invokes RACF and user exit DFSRAS00 defaults to SECURITY ... TYPE= specification (or default)
} ISIS =N | 0 turns off all security checking

94
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Resource Access Security Checks

New user exit (DFSRAS00) is called after RACF (when both are used)
Provides authorization of IMS resources to IMS dependent regions in a RAS environment

RACF and/or DFSRAS00 make checks at every program schedule using Region s USERID
Authorize region against transaction (MPP, JMP)* Authorize region against PSB (IFP, NMD BMP, JBP, DRA|CCTL|ODBA) Authorize region against transaction and PSB (MD BMP)* Authorize region against PSB and OUT=LTERM (NMD BMP, JBP) Authorize region against PSB and OUT=transaction (NMD BMP, JBP)
* Also check region userid can use LTERM (if LTERM defined in LIMS class)
Available in DCCTL, DB/DC, and DBCTL
DFSISIS0 remains available in an AGN environment for V9, but AGN security and the new RAS security can not coexist in a single IMS system
95
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Resource Access Security and APSB Security

When RAS is enabled
RAS check is made at every MPP/JMP program schedule using region s userid RAS check is made at every BMP/IFP/JBP program schedule using region s userid RAS check is made at every CICS/DBCTL program schedule using userid of CICS address space Completely separately, CICS can perform check of terminal user against PSB
RAS checking takes place at a program schedule

PSB defined in IIMS RACF class
APSB security checking takes place for an APSB Call

PSB defined in AIMS RACF class
IMS will never use both checks for the same schedule!
ODBA APSB call
Exec parameter ODBASE=Ymeans use APSB security With ODBASE=N, RAS (or AGN) security will apply if enabled
Explicit APPC (CPI-C) APSB call

If APSB security is performed (with caller s userid), RAS check will not be made If APSB security is not performed, RAS check (if enabled) will be performed using region s userid
Page 95
96
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
RAS Migration Examples

Example 1 - BMP with OUT=lterm/tran
OLD
AGN definitions: )( AGN IMSDGRP AGPSB DEBS AGPSB APOL1 AGTRAN TRANA AGTRAN TRANB AGLTERM IMSUS02 AGLTERM T3270LD
RACF definitions (userid to AGN group): ADDUSER BMPUSER1
PK35433 and PK38522 Program DFSKAGN0 is provided to assist in the conversion of AGN SMU statements to RACF counterparts Skeleton DFSKSMJA is provided as a sample JCL stream for invoking DFSKAGN0
RDEFINE AIMS IMSDGRP OWNER(IMSADMIN) UACC(NONE) PERMIT IMSDGRP CLASS(AIMS) ID(BMPUSER1) ACCESS(READ) SETROPTS CLASSACT(AIMS)
NEW
RACF definitions: ADDUSER BMPUSER1 RDEFINE JIMS RASPGRP ADDMEM(DEBS,APOL1) UACC(NONE) PERMIT RASPGRP CLASS(JIMS) ID(BMPUSER1) ACCESS(READ) RDEFINE GIMS RASTGRP ADDMEM(TRANA,TRANB) UACC(NONE) PERMIT RASTGRP CLASS(GIMS) ID(BMPUSER1) ACCESS(READ) RDEFINE MIMS RASLGRP ADDMEM(IMSUS02,T3270LD) UACC(NONE) PERMIT RASLGRP CLASS(MIMS) ID(BMPUSER1) ACCESS(READ)
Page 96
97
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
RAS Migration Examples ...

Example 2 - AGN name with access to all entities of a particular resource type
OLD
AGN definitions:
)( AGN ALLGRP AGPSB ALL AGTRAN ALL
In RACF, generic resource definitions can be used
NEW
RACF definitions:
ADDUSER DRAINBMP RDEFINE JIMS ** UACC(NONE) PERMIT ** CLASS(JIMS) ID(DRAINBMP) ACCESS(READ) RDEFINE TIMS ** UACC(NONE) PERMIT ** CLASS(TIMS) ID(DRAINBMP) ACCESS(READ)
98
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Migrating Off SMU with V9

Define all AGN resources to RACF in the appropriate classes Define all region ids as RACF users
BMPs, MPPs, IFPs, etc.
Permit region ids to access appropriate resources Change SECURITY macro to specify RAS and/or Change ISIS= parameter in DFSPBxxx to specify RAS If needed, add ODBASE=Y to DFSPBxxx Restart IMS When safe, remove SMU definitions
99
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
AOI Security
Page 99
100
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
AOI Security in V8 and Before

Automated Operator Program commands
Type 1 AOI - CMD calls

SMU transaction command security SECURITY... TRANCMD = NO | YES | FORCE /NRE or /ERE COLDSYS ... TRANCMDS | NOTRANCMDS SMU definitions
} Which commands can be executed by a specific program } Which programs can execute a specific command
Ignored in V10
)(CTRANS AUTOCTL TCOMMAND START TCOMMAND STOP )(TCOMMAND STOP CTRANS AUTOCTL CTRANS ADDINV
Page 100
101
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
AOI Security in IMS V9/V10

IMS V9 enhancements
1. RACF &/or DFSCCMD0 support for 1 4 Type 1 AOI CMD calls AND 4 Type 2 AOI ICMD calls 2. 2 Exec parameter, AOI1in addition to existing AOIS
3 New TRANSACT macro parameter 3. Defines what is used as the userid Affects both Type1 and Type2 AOI calls But has slightly different meaning for each type
If you make no changes when migrating to IMS V9, AOI security will be as before
102
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Security Support for Type 1 AOI (CMD)

New IMS EXEC parameter to choose type of security
AOI1= N | C | R | A | S
S is reset to R in V10
Page 102
103
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
TRANSACT AOI= Parameter

New IMSGEN TRANSACT parameter
TRANSACT . AOI= YES | TRAN | CMD | NO

Relates to use of RACF/DFSCCMD0 for both types of AOI command call
YES = Requests the USERID of the user who entered the transaction be authorised against the Command (in CIMS class)
TRAN = Requests that the TRANCODE be used as the userid for authorization against the Command (in CIMS class) Note that transactions have to be defined to RACF as USERIDs
Type 2 commands
CMD
now have additional = Requests that the COMMAND CODE (first three characters of security options the command) be authorised against Trancode (in TIMS class) the first three characters of IMS commands have to be defined to RACF as USERIDs
NO
= AOI Type 1 CMD calls are not allowed Not relevant for AOI Type 2 ICMD calls - same as YES
Page 103
104
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
RACF Replacement for Type 1 AOI (CMD) SMU Security
OLD
)(CTRANS AUTOCTL TCOMMAND START TCOMMAND STOP

RACF definitions:
)(TCOMMAND STOP CTRANS AUTOTRAN CTRANS ADDINV
NEW
ADDGROUP AOCMDS ADDUSER STO DFLTGRP(AOCMDS) ADDUSER STA DFLTGRP(AOCMDS)
TRANSACT CODE=AUTOCTL AOI=CMD
RDEFINE TIMS AUTOCTL UACC(NONE) PERMIT AUTOCTL CLASS(TIMS) ID(AOCMDS) ACCESS(READ) ADDUSER AUTOTRAN ADDUSER ADDINV
TRANSACT CODE=AUTOTRAN AOI=TRAN
RDEFINE CIMS STO UACC(NONE) PERMIT STO CLASS(CIMS) ID(AUTOTRAN, ADDINV) ACCESS(READ) Specify TRANSACT macro AOI= parameter in IMS definitions
105
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
RACF and SMU Coexistence in IMS V9

Only relevant for Type 1 AOI (CMD) calls
AOI1=S Uses SMU security TRANSACT AOI value ignored AOI1=N No authorization checking is done TRANSACT AOI value ignored AOI1=R|C|A Uses RACF and/or DFSCCMD0 TRANSACT AOI value honored AOI1 not specified Defaults to IMS GEN specification for SMU in V9 Defaults to R in V10
Final override
/NRE or /ERE ... TRANCMDS | NOTRANCMDS
V9 Use SMU. V10 Ignored in V9: CMD calls not allowed V10: ignored
Page 105
106
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Migrating Off SMU on V9

Type 1 (CMD) Initially, code AOI1=S to get SMU security Set up required RACF definitions for type 1 commands
If define trancodes or IMS command verbs as userids, specify a password to ensure that people can not signon with these userids
Add AOI=value to TRANSACT macros in IMSGEN

Can use online change Will be ignored for type 1 commands while AOI1= indicates SMU security
Change (or add) AOI1=R to DFSPBxxx Restart IMS (can be warm) When safe, remove SMU definitions
PK35433 and PK38522 Program DFSKCIMS is provided to assist in the conversion of SMU statements to RACF counterparts DFSKSMU1 and DFSKAOI1 assist in adding AOI= parameter to TRANSACT macros
Page 106
107
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Time Control Option (TCO) Security
Page 107
108
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
TCO Security in V8 and Before

Time Controlled Operations (TCO)
IMS capability to execute time-initiated commands and transactions
Security support
Authorization of loading of TCO script by an LTERM performed only by DFSTCNT0 exit Resource authorization Commands and Transaction security using SMU Transaction security (only) using RACF
} Command security could be requested but is not performed
109
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
TCO Security in IMS V9/V10

Loading of TCO scripts
No change - performed only by DFSTCNT0 exit
Resource Security
Command and Transaction security with SMU in V9, but not in V10 Command and Transaction security with RACF in V9/V10
Page 109
110
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
TCO Security with SMU

Uses standard SMU transaction and command security for DFSTCFI (the TCO input LTERM)
)( TERMINAL DFSTCFI COMMAND START COMMAND STOP TRANSACT STATTRN
)( COMMAND START TERMINAL DFSTCFI )( COMMAND STOP TERMINAL DFSTCFI
DFSCCMD0 will also be called if it exists (after SMU check) for command security
111
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
RACF Security for TCO in V8

Requires IMS EXEC parameter, RCF= A | S | R | B
Requests RACF support for transaction and command authorisation
Requires a USERID
TCO script specification of /SIGN ON tcousid tcopw
Should also issue /SIGN OFF at end of script
Else uses control region userid
Available for RACF authorization of transactions only

TCO userid is authorised to use transactions in the TIMS class, as usual
Command security for TCO userid can be specified

but RACF will not be called TCO is treated by IMS V8 like a system console or master terminal Eligible to enter any commands DFSCCMD0 will be called if it exists
Page 111
112
w
w
w
w
r fo CF ds! RA an No omm c
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
RACF Support for TCO in IMS V9/V10

Requires new execution parameter: TCORACF = Y | N
Specifies whether or not TCO command security is done with RACF
Requires RCF = A | S | R | B
R/B ignored in V10
RACF is called for TCO command security only if TCORACF = Y is also specified
Requires a TCO USERID

TCO script specification of /SIGN ON tcousid tcopw if DFSTCFI is not required to sign on, will use IMS user ID
RACF will be called in standard way to authorize transactions and commands

Using TCO USERID
DFSCCMD0 will be called if it exists (after RACF) for command security

113
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
RACF Support for TCO ...

OLD
)( TERMINAL DFSTCFI COMMAND START COMMAND STOP TRANSACT STATTRN
NEW
ADDUSER TCOUSID DFLTGRP(IMS) OWNER(IMS) PASSWORD(tcopw) PERMIT STA CLASS(CIMS) ID(TCOUSID) ACCESS(READ) PERMIT STO CLASS(CIMS) ID(TCOUSID) ACCESS(READ) PERMIT STATTRN CLASS(TIMS) ID(TCOUSID) ACCESS(READ)
This example assumes: - Command and transaction profiles already exist - The TCO userid (TCOUSID) is connected to a RACF group - The TCO script issues a /SIGN ON for TCOUSID - RCF= and TCORACF=Y are specified
The above definitions could have been coded in prior releases. If so, authorization for the transaction was done. Command authorization, however, was never invoked. In IMS V9/10 (TCORACF=Y), using the same definitions, RACF will be invoked for command authorization.
Page 113
114
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Migrating Off SMU on V9

Prerequisite is that RACF is used for command / transaction security
RCF= A | S | R | B
R/B ignored in V10
Define TCO userid and permissions in RACF Add /SIGN ON to all TCO scripts Add TCORACF=Y to DFSPBxxx Restart IMS (can be warm) When safe, remove SMU definitions
Page 114
115
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
MSC Link Receive Security
Page 115
116
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
MSC Link Receive Security in V8

Directed Routing*
Uses RACF, and Transaction Authorization Exit Routine (DFSCTRN0)

if defined If DFSMSCE0 exit (link receive entry point) is defined, RACF and DFSCTRN0 are called before and after call of DFSMSCE0
Non-Directed routing
Uses SMU (after the DFSMSCE0 call)
Note that Directed and NonNondirected routing use different userids for security
Normal transaction security using MSName as the LTERMname Note: security checking may also have already taken place in the inputting IMS (terminal security or CHNG call security)
*
Directed Routingis when application explicitly specifies target location Not necessarily defined in IMS GEN
Page 116
117
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
MSC Link Receive Security in V8

TRANX
IMSA
SMU
Check
System Authorization Facility
TRANY
RACF
DATA SPACE
USER1
TRANY
USER2
MPP
SMU TABLES
ACEEs USER1 IMSA1
NonNon-Directed Routing
APPLCTN PSB=APPLX TRANSACT CODE=TRANX SYSID=(01,30)
ISRT TRANZ
RACF DB USER2
Resource Profiles and Access Lists
Directed Routing
MSC LINKS
SMU
APPLCTN PSB=APPLX TRANSACT CODE= TRANX
)( TRANSACT TRANX TERMINAL MSNAME1 *MSNAME1 is the logical link
Build user2 ACEE Check user2 access to TRANZ (TWICE!)
RACF
APPLCTN PSB=APPLY TRANSACT CODE= TRANZ
RACF
DATA SPACE
IMSB
IMSC
System Authorization Facility ACEEs USER1
SMU TABLES
IMSP1
RACF DB USER2
Resource Profiles and Access Lists
Page 117
118
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
MSC Link Receive Security in IMS Version 9/10

New DFSDCxxx parameter to specify use of RACF / DFSCTRN0
MSCSEC=(parm1, parm2)
parm1 : defines types of MSC link-receive usage that require security
} LRDIRECT | LRNONDR | LRALL | LRNONE
parm2 : defines type of security check to be performed

} CTL | MSN | USER | EXIT | CTLEXIT |
MSNEXIT | USREXIT | NONE
Page 118
119
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
RACF for MSC Link Receive Security in V9/V10

MSCSEC=(parm1, ..)
LRDIRECT = Link Receive Directed Routing tran security checking LRNONDR = Link Receive Non-Directed Routing tran security checking LRALL LRNONE = LRDIRECT and LRNONDR = No Link Receive security checking
V8 compatibility is provided with LRDIRECT

V9 will use SMU security for non-directed routing, but V10 will have no security for non-directed routing when LRDIRECT is specified
RACF / DFSCTRN0 called once, after DFSMSCE0 The USERID to be used is defined by MSCSEC parm2 or DFSMSCE0 Exit
120
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
RACF for MSC Link Receive Security in V9/V10 ...

MSCSEC=( ., parm2)
Specifies what is used as useridfor transaction security check
MSCSEC=(LRDIRECT | LRNONDR | LRALL | LRNONE , CTL | MSN | USER | EXIT | CTLEXIT | MSNEXIT | USREXIT | NONE)
CTL MSN USER EXIT CTLEXIT MSNEXIT USREXIT NONE
= = = = = = = =
Use userid of control region Use MSNAME as the userid Use the terminal user s userid Authorization by user exit alone (DFSCTRN0) Use ctl regn userid for RACF and call DFSCTRN0 Use MSNAME as userid for RACF and call DFSCTRN0 Use terminal user s userid for RACF and call DFSCTRN0 No Security authorization checking
Note: with RACF, security environment for control region or MSNAME is built once when first used, and retained. But security environment for an end user is built and deleted for each message.
121
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
New Role for DSFMSCE0 Link Receive Processing

Traditionally, directed and non-directed routing have used different userids for security
To achieve this in future will require the use of DFSMSCE0 exit
Additional data is passed to DFSMSCE0

Userid, Group name, and Userid indicator
DFSMSCE0 can override MSCSEC PARM2 value

In other words, DFSMSCE0 link receive processing can Enable or disable security check Enable or disable use of DFSCTRN0 Choose what userid to use for RACF security
} user, control region or MSName
Page 121
122
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Migrating Off SMU with IMS V9

When migrating to IMS V9, add to DFSDCxxx MSCSEC=(LRDIRECT,USER)
or authorise control region for transaction execution, and take default MSCSEC values (LRDIRECT,CTL)
Decide what type of userid to use for directed and non-directed routing
Easier when both the same, but can be different
Update RACF to include new userids (MSNAMEs and Ctl Rgn) if necessary, and grant their access to transactions If using two types of userid, code DFSMSCE0 accordingly Change DFSDCxxx to include MSCSEC=(LRALL,USER |MSN |CTL) Restart IMS When safe, remove SMU definitions
123
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
/LOCK, /UNLOCK and /SET Security
Page 123
124
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
/LOCK, /UNLOCK and /SET Security in V8

SMU is used to provide Password Security
Password is associated with specific resource
e.g., /LOCK DATABASE payroll (uomecash) /SET TRANSACTION paytran (uomecash) Note: these passwords can not be used with ETO terminals (ETO and SMU are incompatible)
Definitions to achieve SMU /LOCK and /SET password security

IMSGEN SECURITY Macro : PASSWD=YES Can override with /NRE or /ERE COLDSYS PASSWORD SMU Definitions
)( DATABASE PAYROLL PASSWORD UOMECASH )( PASSWORD UOMECASH DATABASE PAYROLL PROGRAM PAYPROG TRANSACT PAYTRAN
Page 124
or
125
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Use of /LOCK, /UNLOCK and /SET Security

An end user manager can LOCK and UNLOCK his users LTERMs
One or more LTERMs for a physical terminal Only he knows the password to do this (when using SMU)
Similarly he can SET the destination transaction code for a terminal

Only he knows the password to do this (when using SMU)
Senior operators can LOCK and UNLOCK DBs, programs and transactions
Only they know the passwords to do this (when using SMU)
In IMS V9/V10 with RACF, these special peopleare explicitly authorized to LOCK, UNLOCK and SET specific resources
Page 125
126
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
RACF /LOCK, /UNLOCK and /SET Security in IMS V9/V10

New DFSDCxxx parameter : LOCKSEC = Y | N
N = No authorization checking standard command security will still apply Y = Calls RACF (and DFSCTRN0 if TRAN) RACF classes: LIMS, PIMS, IIMS, TIMS
} for LTERM, DB, PSB, TRAN respectively
Does not apply to /LOCK or /UNLOCK of NODE or PTERM
If resource is not defined to RACF, access will be granted
RACF security is based on user s userid

Userid must be authorized to issue /LOCK, /UNLOCK, /SET commands AND must be authorized for use of specific resource
Password security is still available in V9 and V10

In V9, SMU checking can still be requested (done before RACF) In V9/10, RACF REVERIFY password support can be requested User s signon password is used for reverification
127
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Migrating Off SMU with V9

Define to RACF all resources that need to be LOCKed or SET
LTERMs, DBs, Programs (PSBs), and Transactions
Grant authority for using these resources to the appropriate userids Add LOCKSEC=Y to DFSDCxxx Restart IMS When safe, remove SMU definitions Inform users that passwords are no longer needed
Page 127
128
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Sign On Verification Security
Page 128
129
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Signon Verification Security in V8

SMU method for static terminal Signon Verification
Defines which static (non-ETO) terminals must /SIGN ON
)( SIGN STERM TERM1 STERM TERM2 STERM TERM3 ... or STERM ALL
Requires
SECURITY SECLVL=SIGNON or FORCSIGN
and typically requests RACF verification of userid/password with

SECURITY TYPE=RACFTERM
Page 129
130
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Signon Verification Security in IMS Version 9/10

Does not require RACF (or SMU) New startup parameter in DFSDCxxx
SIGNON = ALL | SPECIFIC ALL : all static terminals (except 3284/3286, SLU1 printers, and MTOs) SPECIFIC : based on OPTIONS of TYPE/TERMINAL macro
Addition to the OPTIONS parameter on the TYPE and/or TERMINAL macros

OPTIONS = (...,SIGNON | NOSIGNON) Specification on TERMINAL macro overrides TYPE
In V9, if a TERMINAL has both a SMU STERM specification and a conflicting OPTIONS=NOSIGNON, then SMU takes precedence
Page 130
131
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Migrating Off SMU with IMS V9

For ALL Add SIGNON=ALL to DFSDCxxx Restart IMS For SPECIFIC
PK35433 and PK38522 Programs DFSKSMU1 and DFSKSMU2 are provided to assist in the conversion of )(SIGN SMU statements to the OPTIONS SIGNON parameter on the TERMINAL macros Skeleton DFSKSMJS is provided as sample JCL for invoking DFSKSMU1 and DFSKSMU2
Add OPTIONS=( SIGNON ) for all TERMINALs which currently have an explicit SMU signon requirement Add SIGNON=SPECIFIC to DFSDCxxx Restart IMS
When safe, remove SMU definitions

132
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Other Considerations
Page 132
133
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Implementing LTERM Security with RACF

SMU can be used to provide LTERM-based transaction and/or command security (for static LTERMs)
)( TERMINAL LTERM5 COMMAND DIS TRANSACT TRANA
Equivalent security can be provided by RACF, but requires that RACF be called from the Transaction and/or Command Authorisation Exits (DFSCTRN0, DFSCCMD0). For example,
Protect the static LTERMs with the LIMS resource class Define the commands (there are about 50) and/or transaction codes as userids In DFSCCMD0/DFSCTRN0, invoke RACF to VERIFY the IMS command/transaction as a userid, and authorize it against the LTERM name
Page 133
134
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Implementing LTERM Security with RACF

Or, for even tighter security,
Create FACILITY class RACF profiles of command.lterm e.g. DIS.LTERM5, and similarly for trancode.lterm e.g. TRANA.LTERM5 In DFSCCMD0/DFSCTRN0, call RACF to authorize user ID/group to the resource class using the applicable resource combinations
The IBM tool, IMS ETO Support for z/OScan be used to provide SMU-like security for
TRANSACTION/ LTERM TRANSACTION/PASSWORD COMMAND/LTERM
without requiring any user coding of the IMS Exits

It supports both Static and Dynamic terminals
Page 134
135
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
Implementing Password Security with RACF

SMU can provide additional protection for signed on static terminals, by requiring the user to enter the SMU-defined password that is associated with a transaction or command (or resource for /LOCK, /UNLOCK and /SET) RACF Solution
Applies to static and ETO terminals Use the REVERIFY facilities in IMS and RACF Specify RVFY=Y in IMS Specify 'REVERIFY' in the APPLDATA section of the RACF profile for the transactions and command Requires a signed on user to reenter the signon password with the transaction or command input /DBR(mypassw) DATABASE XYZ
Page 135
136
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Migration Considerations ...
lEnable
RCF= value to something other than "N"

IMS cold start
Requires
lSpecify
Turn
NORSCCC(MODBLKS) in DFSCGxxx
off resource consistency checking for Matrix data sets in an IMSplex environment
136
137
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

lConsider
possible conflicts of trancodes for AOI and current userids for users
Possible
MSNAME conflicts also
lDefine
V9
Matrix data sets
still required, but may be empty no longer needed
V10
137
138
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

lAny
of the following SECURITY macro options activate SMU

PASSWD=YES or PASSWD=FORCE Override /NRE NOPASSWORD TERMNL=YES or TERMNL=FORCE Override /NRE NOTERMINAL TRANCMD=YES or TRANCMD=FORCE Override AOI1=R TYPE=RACFAGN or TYPE=AGNEXIT Override ISIS=R
138
139
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

AOI considerations CMD has new status code and new return/reason (AIB) codes ICMD has new return/reason codes Log record (type X 10 ) has new error codes New and changed Exits DFSRAS00, DFSCCMD0, DFSISIS0, DFSMSCE0
139
140
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Migration Checklist - SMU to RACF

lTranslate
Make
AGN definitions to RACF
sure new classes are activated in RACF new RAS parameters

macro or execution ISIS parameter
Define
SECURITY
Create
DFSRAS00 to replace DFSISIS0 JCL for AGN= specifications
Review
lFor
static terminals required to sign on

SIGNON=ALL|SPECIFIC parameter in DFSDCxxx
Specify
Optionally,
specify OPTIONS=SIGNON on applicable TYPE/TERMINAL macros

140
141
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Migration Checklist - SMU to RACF ...

lEnable
SAF support for TCO command authorization

and RCF=A|S|R|B
TCORACF=Y
lReview
Specify For
AOI requirements
AOI parameter on TRANSACT macro where needed
TYPE 1 CMD security, additionally specify AOI1 = A|N|C|R|S
lMigrate
Specify
/LOCK and /UNLOCK security

LOCKSEC=Y in DFSDCxxx
141
142
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Migration Checklist - SMU to RACF ...

lReview
Specify
MSC requirements for link receive security
use of SAF/DFSCTRN0 and level of authorization checking in the new MSCSEC parameter in DFSDCxxx DFSMSCE0 if needed RACF profiles on sending and destination systems
Modify
Synchronize
lDetermine
the need to change or write exit routines
142
143
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SMU TO RACF CONVERSION UTILITIES
143
144
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
SMU to RACF CONVERSION UTILITIES

SMU to RACF Conversion Utilities
A set of stand-alone programs and JCL Delivered via PTF Documented in PSP bucket: UPGRADE IMS910 SUBSET SMU2RACFCON
Page 144
145
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
SMU to RACF CONVERSION UTILITIES

PTFs on IMS V9 and IMS V10 provide a set of utilities to help migrate SMU to RACF
IMS V9:
PK68453/UK38824 PK66015/ UK37339 PK56106/UK32791 PK54996/UK32790 PK38522/UK28607 PK35433/UK21894
IMS V10
PK69107/UK38825 PK66030/ UK37313 PK56185/UK33359 PK58281/UK32794 PK49538/UK31516
Page 145
146
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
SMU to RACF Conversion Utilities

Application Group Name (AGN) security
4 Use DFSKAGN0 to generate RACF RAS definitions
Type 1 Automated Operator Interface (AOI)

4 Use DFSKDIMS (optional) and DFSKCIMS to generate RACF statements 4 Use DFSKSMU1 and DFSKAOI1 to add AOI parameter to TRANSACT macros in Stage 1
Terminal security for Time-Controlled Operations (TCO)

4 Use DFSKDIMS (optional) and DFSKCIMS to generate RACF statements for LTERM DFSTCFI
MSC link-receive security

4 DFSKSTG0 Stage 1 Analysis report will provide advice on what is required
/LOCK, /UNLOCK and /SET commands with passwords

4 DFSKSTG0 Stage 1 Analysis report will provide advice on what is required
Static terminal Signon verification

4 Use DFSKSMU1 and DFSKSMU2 to add SIGNON option to TERMINAL macros in Stage 1
Page 146
147
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IBM Software Group
SUMMARY
IMS 9 and IMS 10 include a set of utilities to simplify and expedite the migration from SMU
4 Supplied via PTFs 4 Addresses the most manually intensive tasks 4 Creates corresponding RACF statements 4 Updates IMS Stage 1 TRANSACT &/or TERMINAL macros as needed
Not meant as a total solution!

4 Generated RACF statements may well require additional editing 4 Customers using different flavors of the same type of SMU security - e.g. )( CTRANS and )( TCOMMAND may have to convert different subsets of SMU source in different ways
The Stage 1 Analysis Report documents all the appropriate tasks for migrating off SMU
Page 147
148
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
References
148
149
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
References for Security Information

IMSV10 System Administration Guide Chapter 8 SC18-9718-00 available for viewing or download at http://www.ibm.com/ims
IMSV9 System Administration Guide Chapter 4 SC18-7807-00 available for viewing or download at http://www.ibm.com/ims IMS Version 9 Implementation Guide Chapter 6 SG24-6398 http://www.redbooks.ibm.com/redbooks/pdfs/sg246398.pdf
149
150
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

IMSV7 Performance Guide (Redbook) Chapter 19 SG24-6404 http://www.redbooks.ibm.com/redbooks/pdfs/sg246404.pdf IMSV6 Security Guide (Redbook) (still valid despite its age) SG24-5363 http://www.redbooks.ibm.com/redbooks/pdfs/sg245363.pdf IMS Primer (Redbook) Chapter 24 SG24-5352 http://www.redbooks.ibm.com/redbooks/pdfs/sg245352.pdf z/OS Security Server RACF Security Administrator's Guide SA22-7683-11 Chapter 16: RACF and IMS (concise but missing updates)
150
151
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c

Presentations http://www-306.ibm.com/software/data/ims/shelf/presentations/ Especially: "Security Options and Considerations for OTMA, IMS Connect, and the MQSeries Bridge Application "Converting IMS SMU Security to RACF with V9"
151
152
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF tools
RACTRACE tool can trace every RACF call from selected address space via WTO The tool and documentation can be downloaded from : ftp://www.redbooks.ibm.com/redbooks/GG243984/
Other RACF goodies : http://www-03.ibm.com/servers/eserver/zseries/zos/racf/goodies.html
152
153
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Visit the IMS Home Page Frequently

www.ibm.com/ims contains links to
Upcoming Webcasts, Roadshows and other events Samples submitted by IBM and customers (IMS Examples Exchange) Presentations/papers Library IMS Tools and the Tools library Information Center IMS Newsletters
153
154
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Online User Forums

IMS-L http://imslistserv.bmc.com/ Virtual IMS Connection http://www.virtualims.com IMS Society http://www.ims-society.com/board/index.php
154
155
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Call or Write
Maida Snapper maidalee@us.ibm.com 845-620-5762
155
156
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips and FAQs
156
157
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SMU Conversion FAQs

1) When I change the RCF value, do I need to COLD start? YES! Changing the RCF parameter requires a COLD start of IMS to take effect. 2) How do I convert the SMU TERMINAL statements for WTO and MTO to RACF? If your SMU allows WTO and MTO to do all commands then no action is necessary. IMS bypasses the RACF check for commands from the System Console and MTO. 3) I removed all my STERM statements from SMU. Why does IMS still see them? If you have no STERM statements then the Security Gen (DFSISMP0 SMU utility) will not produce a new version of member DFSISSOx. If there is an existing DFSISSOx in the MATRIX dataset, the utility will not delete it. You need to do that yourself by deleting or renaming it. This applies to any of the MATRIX dataset members when all of their corresponding control statements have been removed from SMU. 4) I tried to turn off Type 1 AOI security by starting IMS with /NRE NOTRANCMDS. Why are all CMD calls now being rejected? In IMSV9 TRANCMD=NO on the SECURITY macro and NOTRANCMDS on an IMS restart do not have the same effect. TRANCMD=NO or AOI1=N turns off security for CMD calls. Starting IMS with NOTRANCMDS means transactions cannot issue the CMD call. In IMSV10 NOTRANCMDS is ignored.
157
158
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SMU Conversion FAQs

5) How can I force the TCO terminal, DFSTCF, to sign on if I can t code it in the
IMSGEN? The only way to force the TCO terminal to sign on is to code SIGNON=ALL in DFSDCxx. If you code SIGNON=SPECIFIC or SIGNON=NONE, the TCO terminal will not be required to sign on. 6) Why does my TCO script execute even though I didn t put a valid user ID and password sign on in the script? If TCO doesn t sign on or signs on and fails verification and you do not require the TCO terminal to sign on (see above), then RACF will use the IMS control region user ID. If the IMS control region user ID is authorized to do the transaction or command, the script will execute. 7) Why are some of the commands in my TCO script being rejected by RACF even though I have a valid TCO user ID that signs on in the script? If you put a /SIGN OFF at the end of the TCO script, the RACF ACEE for the TCO user ID will be deleted at signoff time. Any time-initiated commands or transactions scheduled to execute at a later time will fail the RACF check. The exception to this is when you do not require the TCO terminal to sign on and the IMS control region is authorized to do the transaction or command. Recommend you do not put /SIGN OFF in the script.
158
159
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SMU Conversion FAQs

8) Why is SMU rejecting transactions even though I specified RACF for transaction authorization and I removed all the TERMINAL statements from SMU? If RACF security is specified for transactions from static terminals, and if the SECURITY macro specifies TERMNL=YES or PASSWD=YES, then IMS will do both RACF and SMU security checks for transactions from static terminals. The SMU checks will be done after the RACF checks. During your SMU migration, if you removed TERMINAL statements from your SMU but did not set TERMNL=NO, static terminal users could receive SMU security violations even though they are authorized by RACF. This only applies to transactions, not commands. 9) Why am I getting a DFS171A Security Load Failed after I removed all my SMU statements and emptied my MATRIX dataset? If your SECURITY macro specifies TERMNL=YES and/or PASSWORD=YES, IMS expects to be able to load the MATRIX dataset member that contains SMU TERMINAL statements or SMU PASSWORD statements. If you remove the TERMINAL and PASSWORD statements from SMU but you still have TERMINL=YES and/or PASSWORD=YES specified on the SECURITY macro, IMS will issue the DFS171A message at initialization. This is an informational message and IMS will come up.
159
160
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SMU Conversion FAQs

10) Do I have to remove the AGN parameter on all my BMP jobs when I convert from SMU to RACF? No. The AGN parameter on all procedures is valid for compatibility and ignored. 11) Do I have to change ISIS=0 to ISIS=N for IMS V10? It depends on what your SECURITY macro specifies. IMSV10 ignores ISIS=0,1,2 which means the TYPE specification on the SECURITY macro will be used to determine the setting for RAS security. 12) If I want all my static terminals to sign on, do I have to code OPTIONS=SIGNON on every static terminal macro? No. When you want all of your static terminals to sign on, you can specify SIGNON=ALL in the DFSDCxxx PROCLIB member. This requires all static terminals to sign on except MTO, LU6.1, 3284/3286, and SLU1 printer-only devices. If you want the MTO to sign on, specify the OPTIONS=SIGNON on the MTO s TYPE or TERMINAL macro. 13) Why are CMD calls being rejected even though I coded AOI1=R? AOI1=R has no effect unless AOI= is coded on the TRANSACT macro.
160
161
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SMU Conversion FAQs

14) What user ID is used for AO application programs when AOI=YES in the TRANSACT macro? If the AOI program is MPP or IFP and a message GU call has completed, the user ID is the user at the signed-on terminal or the LTERM name of the signed-off terminal where the transaction is issued. If GU is not issued, PSB name is used. If the AOI program is a BMP, and a message GU call has completed, the user ID is the user of a signed-on terminal or the LTERM name of the signed-off terminal where the transaction is issued. If GU is not issued or if the BMP is non-message driven, the value of the USER parameter specified on the JCL JOB statement is used. If the USER parameter is Not specified, a user ID of 0000000 is used. If the AOI program is a DRA THREAD, the security token that is passed in the PAPL for a schedule request is used to determine whether the user can issue command calls. 15) How can I convert SMU LTERM security to RACF transaction authorization for transactions coming over an ISC link from a device that is unable to sign on? One possible approach: if sign on is not required, then the IMS control region user ID is Used when IMS calls RACF. If the IMS control region user ID is authorized, then the Transaction Authorization Exit (DFSCTRN0) will be called for further checking. If the ISC transaction makes a CHNG call, IMS will use the LTERM name as the user ID and try to create an ACEE for it. You could create a user ID for the LTERM name or use the Security Reverification Exit (DFSCTSE0) to override the RACF failure.
161
162
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips

1) If you change the RCF parameter, a COLD start is required for the change to take effect. 2) If you protect the RECONs in RACF, be sure users have authorization to all 3 RECON datasets. If the VSAM open for either RECON1 or RECON2 fails because of a RACF security violation, IMS interprets the open failure as an I/O error and discards that RECON dataset 3) Opening a VSAM dataset for update requires CONTROL access in RACF (for CI split processing) 4) If you change the RCLASS and request RACF security, be sure you have defined your new C,T,I,L classes in the RACF CDT and ACTIVATEd them in RACF before you start IMS. If required classes are not defined, IMS will abend at initialization with a U0166 abend. You don t have to define any resource profiles in the classes but the classes must be defined to RACF in the CDT. If you don t define the F,S,O,P classes, IMS will issue informational msg DFS2466I but not abend. (Application programs may not be able to do AUTH calls.) 5) In IMSV9, all IMS jobs, utilities and subsystems in which DBRC is active require CONTROL access to the RECONs. IMSV10 provides the option of opening RECON for read-only access
162
163
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips

6) CMDMCS guides the authorization of IMS commands that originate from MCS consoles. If CMDMCS=R, the userid of the MCS console is checked by RACF before allowing the command. If the command is a DBRC command (/RMx) and the /RMx command is authorized by the CMDMCS RACF check, then the DBRC security check is not done. /RM commands are automatically authorized if they come from the MVS console or the IMS master. No DBRC security check is done. When either the AOIS or CMDMCS startup values indicate that DFSCCMDO (Command Authorization Exit) is to be invoked, DFSCCMD0 must be included in the IMS system or IMS abends with a U0718 at initialization. An input message going from front end IMS to back end IMS includes the user ID and group name. If transaction authorization is activated on the BE and the application issues a CHNG call, IMS calls RACF to create an ACEE based on the user ID and group name that was passed from the FE in the IOPCB. If the BE uses a different RACF database, the user must be attached to the same RACF group on the BE as he is on the FE or authorization on the BE will fail: INVALID GROUP. If RACF database is not shared, recommend keeping them in synch.
7) 8)
9)
163
164
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips

10) If SIGNON=SPECIFIC in DFSDC then NOSIGNON will be default for all static terminals 11) Console and Master are never required to sign on and not impacted by STERM ALL or SIGNON=ALL 12) IMS bypasses the RACF check for commands from the system console and MTO. Transactions from the system console are handled the same as transactions coming from any static terminal. This means sign on may be required for transactions. 13) RACF does not have to be enabled for every type of input source. For example, it s ok to say RCF=N and ISIS=R to have RACF RAS security but no RACF security for commands or transactions from SNA terminal users. 14) ODBA (e.g. DB2 stored procedures) can be secured using APSB security by specifying ODBASE=Y (and RACF turned on) or you can use RAS security by specifying ISIS=R. If both ODBASE and ISIS are specified, ODBASE will be used for ODBA. 15) You can do an IMSGEN with TRANEX specified and not have a Transaction Authorization exit. There will be an unresolved reference for DFSCTRN0. If this exit is later added, you need to relink the IMS Nucleus (DFSVNUCx) to pick up the exit. Copying the exit to RESLIB is not enough.
164
165
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips

16) An AOI program issuing an unauthorized CMD call will receive a CD status code. 17) Any time IMS issues a RACROUTE that results in an update of the RACF database, it causes an exclusive enqueue on the data set. For example, /SIGN with NEWPW and VERIFY. 18) To find out if more than one profile protects a particular resource, issue the RLIST command with the RESGROUP operand. For example: RLIST CIMS EXI RESGROUP RLIST RESGROUP does not support generic matches. If you define a profile and use generic characters such as (*) to add members to the profile, RLIST RESGROUP will not return any of the matching profiles in its output. For example, RDEF GIMS GIMSGRP ADDMEM(ABC*) RLIST GIMS ABCD RESGROUP ABC* will not appear in the RLIST output. 19) If you have no STERM statements then DFSISMP0 (SMU utility) will not produce a new version of member DFSISSOx. If there is an existing DFSISSOx in the MATRIX dataset, the utility will not delete it. You need to remove the member yourself by deleting or renaming it. This applies to any of the MATRIX dataset members when all of their corresponding control statements have been removed from SMU.
165
166
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips

20) Sample approach to replace LTERM security for an ISC link that doesn t sign on: If signon is not required, then the CTL region user ID is used on the FASTAUTH against the transaction name. You could then use the DFSCTRN0 exit to check security. If the ISC transaction subsequently makes a CHNG call, IMS will use the LTERM name as the user ID and try to create an ACEE for it. You could create user IDs for the LTERM names or use DFSCTSE0 to override the RACF failure. 21) If you implement TCORACF security you need a /SIGN ON in the TCO script with a user ID and password. This will create an ACEE for the TCO user ID to authorize transactions and commands issued by the script. If you put a /SIGN OFF in the script, the ACEE will be deleted and any time-initiated commands or transactions scheduled to execute at a later time will fail the RACF check. Recommend you do not /SIGN OFF 22) If RACF security is specified for transactions from static terminals, and if the SECURITY macro specifies TERMNL=YES/FORCE or PASSWD=YES/FORCE, then IMS will do both RACF and SMU security checks for transactions from static terminals. The SMU checks will be done after the RACF checks are done. During your SMU migration, if you removed TERMINAL statements from your SMU but did not set TERMNL=NO, static terminal users can receive SMU security violations even though they are authorized by RACF. This only applies to transactions, not commands
166
167
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips

23) RACF always uses the most specific (discrete) profile it can find for the resource. Be aware of things like this: RDEF FACILITY PROD.LIST.DB.* UACC(NONE) PERMIT PROD.LIST.DB.* CLASS(FACILITY) ID(JONES) ACCESS(READ) RDEF FACILITY PROD.LIST.DB.AAA UACC(NONE) PERMIT PROD.LIST.DB.AAA CLASS(FACILITY) ID(SANCHEZ)ACCESS(READ) Jones cannot do LIST.DB DBD(AAA) but Jones can list database AAA by using LIST.DB ALL Be aware of things like this: RDEF TIMS ** UACC(NONE) PERMIT ** CLASS(TIMS) ID(JONES) ACCESS(READ) RDEF TIMS ADDINV UACC(NONE) PERMIT ADDINV CLASS(TIMS) ID(SANCHEZ) Jones cannot access ADDINV transaction.
167
168
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips

24) If USER1 is in the access list of the generic ** profile and there is another access list for a specific member of that same class then USER1 will not have access to that specific member. For example: PE ** CLASS(CIMS) ID(MAIDA) ACCESS(READ) PE DIS CLASS(CIMS) ID(JAMES) ACCESS(READ) results in MAIDA having access to all commands except /DIS. 25) In IMSV10, ISIS=0,1,2 are ignored and ISIS will default to the TYPE specification on the SECURITY macro for RAS security. 26) AGN coded on procedures is valid for compatibility but ignored. 27) RACF ALTER access is required to extend database datasets to new candidate volumes. 28) If you activate RAS security, then every dependent region will need to be authorized to the IMSid protected in the APPL class. 29) CIMS resource names must be the first 3 characters of the IMS command.
168
169
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips

30) If sign on is not required and the user does not sign on, RACF uses the ACEE of the default environmentfor authorization. (ETO terminals are always required to sign on.) The default environmentcould be the IMS control region or it could be the dependent region. 31) With TERMNL=YES specified on the SECURITY macro, IMS expects to be able to load the MATRIX dataset member that contains SMU TERMINAL statements. With PASSWORD=YES specified on the SECURITY macro, IMS expects to be able to load the MATRIX member that contains PASSWORD statements. If you remove all TERMINAL and/or PASSWORD statements from SMU and you have TERMNL=YES and/or PASSWORD=YES specified on the SECURITY macro, IMS will issue the DFS171A msg at initialization. This is informational and IMS will still come up. 32) When no command security is specified for a given input source, you will get default security for commands entered from source. For example, if you set up RACF command authorization to allow /DIS from terminals, but you did not specify a value for APPCSE, then the default security for APPC allows only /BROADCAST, /LOG, /RDISPLAY and /RMLIST commands and the /DIS command will not be accepted from an APPC device. 33) Default security only applies to commands, not transactions.
169
170
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips

34) Unless you have RACF configured for SYSPLEX communication, a SETR RACLIST(TIMS) REFRESH on SYSA is not propagated to SYSB. You have to issue the same command on SYSB as well. 35) You might have to recycle IMS to grant new dataset access. If new access is given to a GROUP and IMS was not previously connected to that GROUP, then IMS will need to be recycled. If the access was given to IMS or a GROUP IMS was already connected to, then refreshing the profile should be enough. If the profile is generic, then SETROPTS REFRESH GENERIC(DATASET) needs to be issued. You don t have to recycle IMS for RACF resource profiles changes to take effect. You only need to refresh the RACF dataspace by issuing SETR RACLIST(classname) REFRESH Classname should always be the member class (e.g. CIMS), not the grouping class (e.g. DIMS). 36) When you have class pairs of MEMBER and GROUP types, all action items (other than changing profiles) are against the MEMBER class.
170
171
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips

37) The ** (G) profile covers all resources NOT already defined in the class. For example, RDEF CIMS ** UACC(NONE) covers all commands that do not have their own profile in CIMS or a DIMS group. RACF looks for: a) Discrete CIMS profile (merged with information from DIMS class and the ADDMEMs referenced in DIMS profiles as matches for the CIMS profiles) and use the most restrictive b) If no discrete CIMS profile is found but there are CIMS or DIMS generic profiles then the "best" or most accurate match is used. c) Finally, the ** (G) profile covers all other IMS commands not already defined in the CIMS as either DISCRETE or GENERIC. This final profile is often called the backstop or profile of last resort
171
172
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Hints and Tips

38) Member classes and Grouping class definitions are merged when RACLISTed. IMS authorization calls are made against the member class. When there are conflicts , the most restrictive definition is used. 39) If a resource name appears in more than one resource group and/or has a discrete profile of its own with conflicting UACCs, RACF chooses the most restrictive UACC. If a user is in more than one access list for the same resource, the information is merged and the most permissive (least restrictive) ACCESS is used. (see z/OS: Security Server RACF Security Administrator's Guide: Resolving Conflicts among Multiple Profiles) Be aware of things like this: RDEF DIMS DBAGROUP(ADDMEM DBR) UACC NONE RDEF DIMS SYSPROG(ADDMEM DBR) UACC NONE PE DBAGROUP CLASS(DIMS) ID(JOE) ACCESS(NONE) PE SYSPROG CLASS(DIMS) ID(JOE) ACCESS(READ) After the merge, JOE has READ access to the /DBR command. 40) The /SIGN and /RCLDST commands are the only commands that an ETO terminal can enter before it signs on. RACF is not called to authorize these commands.
172
173
w
w
w
w

Imssecurityusingracf 100929123132 Phpapp02

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Imssecurityusingracf 100929123132 Phpapp02

Hochgeladen von

Copyright:

Verfügbare Formate

PD

Part 1: IMS SECURITY BASICS Part 2: SMU CONVERSION

Click to edit Master title style

PART 1: SECURITY BASICS

Develop an IMS Security Strategy

Which Resources Need Protection

Security Facilities IMS Default Security

Security Facilities - IMS Default Security

IMS V10 Command Reference Volume 1

Security Facilities IMS Default Security

Security Facilities IMS Default Security

Security Facilities IMS Default Security

Security Facilities - IMS Default Security

Security Facilities PSB

Security Facilities PSB

Security Facilities - Encryption

Security Facilities Encryption

Security Facilities Encryption

Security Facilities Encryption

Security Facilities VSAM Password Protection

Security Facilities - VSAM Password Protection

Security Facilities - VSAM Password Protection

Security Facilities - VSAM Password Protection

Security Facilities Application-based security

Security Facilities - Application-based security

Security Facilities Physical Security

Security Facilities Physical Security

Security Facilities - RACF

RACF Resource Class

RACF Resource Class

RACF Resource Class

RACF Resource Class

RACF Resource Class

RACF Resource Class

RACF Resource Class

Populate the RACF Database

RACF GROUP and USER Profiles

RACF GROUP and USER Profiles

RACF Resource Profiles

RACF Resource Profiles

RACF Resource Profiles

RACF member class profile name

CQSSTR.structure_name IXLSTR.structure_name imsid CSL.imsplexname

XCF grp (Client bid) FACILITY

IMSXCF.groupname.membername dataset name

RACF Resource Profiles

RACF Access Lists

RACF Access Lists

RACF Access Lists

Resource Class CIMS

Group or Userid GROUPY STILWELL CM431GP

Access Level READ NONE READ

Profile Owner IMSADMIN

Making RACF Security Changes Online

How IMS Talks to SAF

How IMS Talks to SAF

How IMS Talks to SAF

How IMS Talks to SAF

Summary of RACF Commands

RACF in WARNING Mode for Migration

Security Facilities - Exits

Security Facilities Exits