Beruflich Dokumente
Kultur Dokumente
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Disclaimer
Copyright IBM Corporation [current year]. All rights reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED AS ISWITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING ANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCTS AND/OR SOFTWARE.
IBM, the IBM logo, ibm.com, DB2, CICS, RACF and IMS are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark informationat www.ibm.com/legal/copytrade.shtml Other company, product, or service names may be trademarks or service marks of others.
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Facilities
IMS default security Program Specification Block (PSB) Encryption VSAM password protection Application-based security Physical security RACF (or other SAF product) Exits
5
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
10
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
10
11
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
12
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
13
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
14
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
15
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
16
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Encryption
Data Encryption for DB2 and IMS Databases tool:
requires the IBM optional Crypto Express2 (CEX2) hardware feature requires ICSF, the software interface to the crypto hardware requires the standard CP Assist for Crypto Function (CPACF) be enabled and active if the clear key exit is used is recommended over roll your own solutions as extensive testing has been done to ensure the product works with all the product interfaces requires no changes to applications, just a change to DBD to define the exit routine
16
17
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SEGM ,COMPRTN=(routinename,DATA,INIT,MAX)
17
18
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SEGM NAME=ADDRESS,BYTES=200,FREQ=2,PARENT=NAME FIELD NAME=HOMEADDR,BYTES=100,START=1,TYPE=C FIELD NAME=COMAILOC,BYTES=100,START=101,TYPE=C SEGM NAME=PAYROLL,BYTES=100,FREQ=1,PARENT=NAME,COMPRTN=(DFSCMPX0,DATA,INIT,MAX) FIELD NAME=HOURS,BYTES=15,START=51,TYPE=P FIELD NAME=BASICPAY,BYTES=15,START=1,TYPE=P DBDGEN FINISH END
18
19
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
20
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
21
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
PASSWD=NO on DBD statement is the default specifies that the DBDNAME for this DBD should not be used as the VSAM password in IMS Batch, causes operator to be prompted for password each time data set opened
21
22
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
22
23
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
24
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
25
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
26
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
26
27
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
28
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Setting Up RACF
Create Resource Class descriptions in Class Descriptor Table (CDT) e.g. TIMS, CIMS, or installation defined Make sure IMS Resource Classes are activated in RACF Populate the RACF database Create group & user profiles Define groups Define users Connect users to groups Create resource profiles Define a profile in the appropriate class for each resource to be secured Create access lists Permit groups | users to access resource
28
29
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
30
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
30
31
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
32
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
33
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
33
34
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
35
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
maximum 1024 entries 256 defined by IBM 768 can be installation-defined loaded at IPL by merging static, then dynamic class descriptors dynamic entry will replace static of the same name if merge reaches 1024, RACF warns entries are being ignored CDT processes a paired member and grouping class together. Updating the RACF Router Table for new resource classes not required
Supplied CDT entries are documented in Appendix C of the z/OS Security Server RACF Macros and Interfaces
35
36
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
37
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
37
38
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
When IMS resources are protected by RACF IMS needs a user ID DLI/SAS needs a user ID Dependent region may need a user ID The user IDs are needed for Access to system resources and data sets For example, System dump data set Access to IMS protected data sets For example, IMS RECON or RESLIB Access to IMS resources as the default user ID User IDs can be created using RACF STARTED class
38
39
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Discrete profile protects a singular resource fully qualified profile name Generic profile protects one or more resources of the same type profile contains generic (wildcard) characters SETR GENERIC(classname) to enable generics Fully-qualified generic profile used only by the DATASET resource class used to retain profile when dataset deleted if multiple profiles exist for a resource, RACF uses the most specific
39
40
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
41
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF Resource Profiles RDEFINE CIMS DIS UACC(READ) RDEFINE DIMS DBACMDS ADDMEM(STO,STA,DIS) UACC(NONE)
41
42
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Transaction Command (type 1) PSB LTERM DBRC command OM command CF structures IMS Control Region IMSPlex (CSL) Dataset
or
43
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
44
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
44
45
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
45
46
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Resource DIS
UACC NONE
46
47
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF refreshes all classes with the same CDT POSIT value as classname specify the member classname not the grouping classname for example, specify CIMS not DIMS REFRESH must be entered on all members of a SYSPLEX unless RACF is configured for SYSPLEX communication
47
48
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
48
49
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
49
50
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
50
51
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
51
52
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
53
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
53
54
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
55
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
56
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
DFSBSEX0 was offered to improve performance; allows you to control if and when a security environment is dynamically built in cases where it does not exist ( back endIMS, or user has signed off, for example) Exits can be used to do more granular checking than RACF may offer
56
57
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
57
58
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
58
59
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
TRANCMD= NO SECCNT= 0
60
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SECURITY
TRANCMD= NO SECCNT= 0
YES 1
FORCE 2 3
61
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security Macro
SECLVL= transaction authorization / signon verification TYPE= RACF and/or EXITS choose one from each column
NORAS RASRACF RASEXIT RAS NORACTRM RACFTERM NOTRANEX TRANEXIT NOSIGNEX SIGNEXIT NORACFCM RACFCOM
61
62
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
62
63
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
64
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
64
65
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
66
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
67
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
67
68
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
68
69
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
69
70
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
70
71
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
71
72
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
73
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
73
74
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
75
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IMS V10 System Administration Guide Table 28 IMS V9 DBRC Guide and Reference Appendix C
75
76
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Protecting OM Commands
CMDSEC=R RDEFINE OPERCMDS IMS.CSLPLX0.UPD.TRAN UACC(NONE) PERMIT IMS.CSLPLX0.UPD.TRAN CLASS(OPERCMDS) ID(LONNIE) ACCESS(UPDATE) RDEFINE OPERCMDS IMS.CSLPLX0.STO.DB UACC(NONE) PERMIT IMS.CSLPLX0.STO.DB CLASS(OPERCMDS) ID(ALAN) ACCESS(UPDATE) RDEFINE OPERCMDS IMS.CSLPLX1.UPD.TRAN UACC(NONE) RDEFINE OPERCMDS IMS.*.QRY.* UACC(NONE) PERMIT IMS.*.QRY.* CLASS(OPERCMDS) ID(KENNY) ACCESS(READ)
IMS V10 IMSPLEX Administration Guide Table 8 IMS V9 Command Reference Appendix I Resource Names Table
76
77
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Protecting CF Structures
RDEF FACILITY CQSSTR.IMSP_MSGQ1 UACC(NONE) PE CQSSTR.IMSP_MSGQ1 CLASS(FACILITY) ID(IMSP) ACCESS(UPDATE) RDEFINE FACILITY IXLSTR.IMSP_MSGQ1 UACC(NONE) PERMIT IXLSTR.IMSP_MSGQ1 CLASS(FACILITY) ID(IMSP) ACCESS(UPDATE) RDEFINE FACILITY IXLSTR.IMSP_IMSIRLM UACC(NONE) PERMIT IXLSTR.IMSP_IMSIRLM CLASS(FACILITY) ID(IRLMP) ACCESS(UPDATE) SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY) REFRESH
77
78
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Protecting IMSPlex
ADDGROUP PLX0GRP ... ADDUSER OM1USER ... DFLTGRP(PLX0GRP) ADDUSER RM1USER ... DFLTGRP(PLX0GRP) ADDUSER CQS1USER ... DFLTGRP(PLX0GRP) ADDUSER IMS1USER ... DFLTGRP(PLX0GRP) ADDUSER ... (other address spaces needing access to SCI) RDEF STARTED OM1 STDATA(USER(OM1USER) GROUP(PLX0GRP) ... RDEF STARTED RM1 STDATA(USER(RM1USER) GROUP(PLX0GRP) ... RDEF ... (for each started task) RDEFINE FACILITY CSL.CSLPLX0 UACC(NONE) PERMIT CSL.CSLPLX0 CLASS(FACILITY) ID(PLX0GRP) ACCESS(UPDATE) SETROPTS CLASSACT(FACILITY) SETROPTS RACLIST(FACILITY)REFRESH
78
79
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
79
80
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
80
81
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SMU Migration
81
82
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Primary consideration
If migration from SMU to SAF/RACF has not already been done, migration to IMS V10 will also need to include migration from SMU to SAF/RACF
Page 82
83
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Utilities
SMU Utility no longer supported Online Change Utility ignores MATRIX dataset DD cards
Execution parameters
e.g. AGN, ISIS, AOI1, MSCSEC, SGN, etc Ignored if request SMU Some parameters are no longer documented, but are ignored when specified Defaults changed where previous default was SMU
84
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF keeps security definitions in user profiles which describe allowed access to defined resources
Resources defined in RACF Resource Classes for example: Transactions TIMS class (or groups of transactions in GIMS class) Commands - CIMS class (or groups of commands in DIMS class)
Page 84
85
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
86
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 86
87
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 87
88
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Predominantly used for BMPs, but actually applies for all dependent regions and connecting threads (DRA/CCTL/ODBA)
Page 88
89
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 89
90
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 90
91
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
BMP Example
Relies on AGN= being coded in JCL DATA SPACE
BMP1 Dependent Region
1B
2B
RACF
AGNX -MPP1 AGN2 -IFP1
1A
Start up JCL IMSID=IMSA, USER=BMP1, PASSWORD=PW, AGN=AGN1, RACF . IDENTIFY/CONNECT . . . SCHED PAYROLL
1C
MPP1 IFP1
AGN1 -BMP1
Check
BMP1
USER1
2A
RACF
AIMS profiles and access lists
ACEEs
IMSP1
SMU Check
An alternative to the use of RACF is the use of the DFSISIS0 exit renamed to AGN Security Exit(one or the other is called, not both)
SMU to RACF Security Page 91
92
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Uses RACF security classes for PSBs and LTERMs IIMS: Program Specification Block (PSB) JIMS: Grouping class for PSB LIMS: Logical terminal (LTERM) MIMS: Grouping class for LTERM TIMS: Transaction (TRAN) GIMS: Grouping class for Transactions
PSBs in AIMS class are for ODBA and Explicit APPC use of APSB only
(further details will follow)
Page 92
93
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
N = No security (turns off both RAS and SMU) R = RAS security invokes RACF C = RAS security invokes an IMS user exit (DFSRAS00) A = RAS security invokes RACF and user exit DFSRAS00 defaults to SECURITY ... TYPE= specification (or default)
94
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Authorize region against transaction (MPP, JMP)* Authorize region against PSB (IFP, NMD BMP, JBP, DRA|CCTL|ODBA) Authorize region against transaction and PSB (MD BMP)* Authorize region against PSB and OUT=LTERM (NMD BMP, JBP) Authorize region against PSB and OUT=transaction (NMD BMP, JBP)
* Also check region userid can use LTERM (if LTERM defined in LIMS class)
DFSISIS0 remains available in an AGN environment for V9, but AGN security and the new RAS security can not coexist in a single IMS system
SMU to RACF Security Page 94
95
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IMS will never use both checks for the same schedule!
ODBA APSB call
Exec parameter ODBASE=Ymeans use APSB security With ODBASE=N, RAS (or AGN) security will apply if enabled
Page 95
96
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
OLD
AGN definitions: )( AGN IMSDGRP AGPSB DEBS AGPSB APOL1 AGTRAN TRANA AGTRAN TRANB AGLTERM IMSUS02 AGLTERM T3270LD
PK35433 and PK38522 Program DFSKAGN0 is provided to assist in the conversion of AGN SMU statements to RACF counterparts Skeleton DFSKSMJA is provided as a sample JCL stream for invoking DFSKAGN0
RDEFINE AIMS IMSDGRP OWNER(IMSADMIN) UACC(NONE) PERMIT IMSDGRP CLASS(AIMS) ID(BMPUSER1) ACCESS(READ) SETROPTS CLASSACT(AIMS)
NEW
RACF definitions: ADDUSER BMPUSER1 RDEFINE JIMS RASPGRP ADDMEM(DEBS,APOL1) UACC(NONE) PERMIT RASPGRP CLASS(JIMS) ID(BMPUSER1) ACCESS(READ) RDEFINE GIMS RASTGRP ADDMEM(TRANA,TRANB) UACC(NONE) PERMIT RASTGRP CLASS(GIMS) ID(BMPUSER1) ACCESS(READ) RDEFINE MIMS RASLGRP ADDMEM(IMSUS02,T3270LD) UACC(NONE) PERMIT RASLGRP CLASS(MIMS) ID(BMPUSER1) ACCESS(READ)
Page 96
97
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
OLD
AGN definitions:
NEW
RACF definitions:
ADDUSER DRAINBMP RDEFINE JIMS ** UACC(NONE) PERMIT ** CLASS(JIMS) ID(DRAINBMP) ACCESS(READ) RDEFINE TIMS ** UACC(NONE) PERMIT ** CLASS(TIMS) ID(DRAINBMP) ACCESS(READ)
SMU to RACF Security Page 97
98
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Permit region ids to access appropriate resources Change SECURITY macro to specify RAS and/or Change ISIS= parameter in DFSPBxxx to specify RAS If needed, add ODBASE=Y to DFSPBxxx Restart IMS When safe, remove SMU definitions
SMU to RACF Security Page 98
99
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
AOI Security
Page 99
100
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
)(CTRANS AUTOCTL TCOMMAND START TCOMMAND STOP )(TCOMMAND STOP CTRANS AUTOCTL CTRANS ADDINV
Page 100
101
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
3 New TRANSACT macro parameter 3. Defines what is used as the userid Affects both Type1 and Type2 AOI calls But has slightly different meaning for each type
If you make no changes when migrating to IMS V9, AOI security will be as before
SMU to RACF Security Page 101
102
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
AOI1= N | C | R | A | S
S is reset to R in V10
Page 102
103
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
TRAN = Requests that the TRANCODE be used as the userid for authorization against the Command (in CIMS class) Note that transactions have to be defined to RACF as USERIDs
Type 2 commands
CMD
now have additional = Requests that the COMMAND CODE (first three characters of security options the command) be authorised against Trancode (in TIMS class) the first three characters of IMS commands have to be defined to RACF as USERIDs
NO
= AOI Type 1 CMD calls are not allowed Not relevant for AOI Type 2 ICMD calls - same as YES
Page 103
104
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
OLD
NEW
RDEFINE TIMS AUTOCTL UACC(NONE) PERMIT AUTOCTL CLASS(TIMS) ID(AOCMDS) ACCESS(READ) ADDUSER AUTOTRAN ADDUSER ADDINV
RDEFINE CIMS STO UACC(NONE) PERMIT STO CLASS(CIMS) ID(AUTOTRAN, ADDINV) ACCESS(READ) Specify TRANSACT macro AOI= parameter in IMS definitions
SMU to RACF Security Page 104
105
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Final override
/NRE or /ERE ... TRANCMDS | NOTRANCMDS
V9 Use SMU. V10 Ignored in V9: CMD calls not allowed V10: ignored
Page 105
106
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Change (or add) AOI1=R to DFSPBxxx Restart IMS (can be warm) When safe, remove SMU definitions
PK35433 and PK38522 Program DFSKCIMS is provided to assist in the conversion of SMU statements to RACF counterparts DFSKSMU1 and DFSKAOI1 assist in adding AOI= parameter to TRANSACT macros
Page 106
107
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 107
108
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Security support
Authorization of loading of TCO script by an LTERM performed only by DFSTCNT0 exit Resource authorization Commands and Transaction security using SMU Transaction security (only) using RACF
} Command security could be requested but is not performed
SMU to RACF Security Page 108
109
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Resource Security
Command and Transaction security with SMU in V9, but not in V10 Command and Transaction security with RACF in V9/V10
Page 109
110
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
DFSCCMD0 will also be called if it exists (after SMU check) for command security
SMU to RACF Security Page 110
111
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Requires a USERID
TCO script specification of /SIGN ON tcousid tcopw
Should also issue /SIGN OFF at end of script
Page 111
112
w
w
w
w
r fo CF ds! RA an No omm c
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Requires RCF = A | S | R | B
RACF is called for TCO command security only if TCORACF = Y is also specified
113
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
NEW
ADDUSER TCOUSID DFLTGRP(IMS) OWNER(IMS) PASSWORD(tcopw) PERMIT STA CLASS(CIMS) ID(TCOUSID) ACCESS(READ) PERMIT STO CLASS(CIMS) ID(TCOUSID) ACCESS(READ) PERMIT STATTRN CLASS(TIMS) ID(TCOUSID) ACCESS(READ)
This example assumes: - Command and transaction profiles already exist - The TCO userid (TCOUSID) is connected to a RACF group - The TCO script issues a /SIGN ON for TCOUSID - RCF= and TCORACF=Y are specified
SMU to RACF Security
The above definitions could have been coded in prior releases. If so, authorization for the transaction was done. Command authorization, however, was never invoked. In IMS V9/10 (TCORACF=Y), using the same definitions, RACF will be invoked for command authorization.
Page 113
114
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Define TCO userid and permissions in RACF Add /SIGN ON to all TCO scripts Add TCORACF=Y to DFSPBxxx Restart IMS (can be warm) When safe, remove SMU definitions
Page 114
115
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 115
116
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Non-Directed routing
Note that Directed and NonNondirected routing use different userids for security
Normal transaction security using MSName as the LTERMname Note: security checking may also have already taken place in the inputting IMS (terminal security or CHNG call security)
*
Directed Routingis when application explicitly specifies target location Not necessarily defined in IMS GEN
Page 116
117
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IMSA
SMU
Check
System Authorization Facility
TRANY
RACF
DATA SPACE
USER1
TRANY
USER2
MPP
SMU TABLES
ACEEs USER1 IMSA1
NonNon-Directed Routing
APPLCTN PSB=APPLX TRANSACT CODE=TRANX SYSID=(01,30)
ISRT TRANZ
RACF DB USER2
Directed Routing
MSC LINKS
SMU
APPLCTN PSB=APPLX TRANSACT CODE= TRANX
RACF
APPLCTN PSB=APPLY TRANSACT CODE= TRANZ
RACF
DATA SPACE
IMSB
IMSC
SMU TABLES
IMSP1
RACF DB USER2
Page 117
118
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
MSCSEC=(parm1, parm2)
parm1 : defines types of MSC link-receive usage that require security
} LRDIRECT | LRNONDR | LRALL | LRNONE
Page 118
119
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF / DFSCTRN0 called once, after DFSMSCE0 The USERID to be used is defined by MSCSEC parm2 or DFSMSCE0 Exit
SMU to RACF Security Page 119
120
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
= = = = = = = =
Use userid of control region Use MSNAME as the userid Use the terminal user s userid Authorization by user exit alone (DFSCTRN0) Use ctl regn userid for RACF and call DFSCTRN0 Use MSNAME as userid for RACF and call DFSCTRN0 Use terminal user s userid for RACF and call DFSCTRN0 No Security authorization checking
Note: with RACF, security environment for control region or MSNAME is built once when first used, and retained. But security environment for an end user is built and deleted for each message.
SMU to RACF Security Page 120
121
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 121
122
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Decide what type of userid to use for directed and non-directed routing
Easier when both the same, but can be different
Update RACF to include new userids (MSNAMEs and Ctl Rgn) if necessary, and grant their access to transactions If using two types of userid, code DFSMSCE0 accordingly Change DFSDCxxx to include MSCSEC=(LRALL,USER |MSN |CTL) Restart IMS When safe, remove SMU definitions
SMU to RACF Security Page 122
123
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 123
124
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
e.g., /LOCK DATABASE payroll (uomecash) /SET TRANSACTION paytran (uomecash) Note: these passwords can not be used with ETO terminals (ETO and SMU are incompatible)
or
125
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Senior operators can LOCK and UNLOCK DBs, programs and transactions
Only they know the passwords to do this (when using SMU)
In IMS V9/V10 with RACF, these special peopleare explicitly authorized to LOCK, UNLOCK and SET specific resources
Page 125
126
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
127
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Grant authority for using these resources to the appropriate userids Add LOCKSEC=Y to DFSDCxxx Restart IMS When safe, remove SMU definitions Inform users that passwords are no longer needed
Page 127
128
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 128
129
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Requires
SECURITY SECLVL=SIGNON or FORCSIGN
Page 129
130
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
In V9, if a TERMINAL has both a SMU STERM specification and a conflicting OPTIONS=NOSIGNON, then SMU takes precedence
Page 130
131
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
PK35433 and PK38522 Programs DFSKSMU1 and DFSKSMU2 are provided to assist in the conversion of )(SIGN SMU statements to the OPTIONS SIGNON parameter on the TERMINAL macros Skeleton DFSKSMJS is provided as sample JCL for invoking DFSKSMU1 and DFSKSMU2
Add OPTIONS=( SIGNON ) for all TERMINALs which currently have an explicit SMU signon requirement Add SIGNON=SPECIFIC to DFSDCxxx Restart IMS
132
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Other Considerations
Page 132
133
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Equivalent security can be provided by RACF, but requires that RACF be called from the Transaction and/or Command Authorisation Exits (DFSCTRN0, DFSCCMD0). For example,
Protect the static LTERMs with the LIMS resource class Define the commands (there are about 50) and/or transaction codes as userids In DFSCCMD0/DFSCTRN0, invoke RACF to VERIFY the IMS command/transaction as a userid, and authorize it against the LTERM name
Page 133
134
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
The IBM tool, IMS ETO Support for z/OScan be used to provide SMU-like security for
TRANSACTION/ LTERM TRANSACTION/PASSWORD COMMAND/LTERM
Page 134
135
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 135
136
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
lEnable
Requires
lSpecify
Turn
NORSCCC(MODBLKS) in DFSCGxxx
off resource consistency checking for Matrix data sets in an IMSplex environment
136
137
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
possible conflicts of trancodes for AOI and current userids for users
Possible
lDefine
V9
V10
137
138
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
138
139
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
139
140
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Define
SECURITY
Create
Review
lFor
Specify
Optionally,
141
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
TCORACF=Y
lReview
Specify For
AOI requirements
AOI parameter on TRANSACT macro where needed
lMigrate
Specify
141
142
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
use of SAF/DFSCTRN0 and level of authorization checking in the new MSCSEC parameter in DFSDCxxx DFSMSCE0 if needed RACF profiles on sending and destination systems
Modify
Synchronize
lDetermine
142
143
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
143
144
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 144
145
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IMS V10
PK69107/UK38825 PK66030/ UK37313 PK56185/UK33359 PK58281/UK32794 PK49538/UK31516
Page 145
146
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Page 146
147
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
SUMMARY
IMS 9 and IMS 10 include a set of utilities to simplify and expedite the migration from SMU
4 Supplied via PTFs 4 Addresses the most manually intensive tasks 4 Creates corresponding RACF statements 4 Updates IMS Stage 1 TRANSACT &/or TERMINAL macros as needed
The Stage 1 Analysis Report documents all the appropriate tasks for migrating off SMU
Page 147
148
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
References
148
149
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IMSV9 System Administration Guide Chapter 4 SC18-7807-00 available for viewing or download at http://www.ibm.com/ims IMS Version 9 Implementation Guide Chapter 6 SG24-6398 http://www.redbooks.ibm.com/redbooks/pdfs/sg246398.pdf
149
150
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
150
151
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
151
152
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
RACF tools
RACTRACE tool can trace every RACF call from selected address space via WTO The tool and documentation can be downloaded from : ftp://www.redbooks.ibm.com/redbooks/GG243984/
152
153
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
154
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
154
155
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
Call or Write
Maida Snapper maidalee@us.ibm.com 845-620-5762
155
156
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
156
157
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
157
158
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
IMSGEN? The only way to force the TCO terminal to sign on is to code SIGNON=ALL in DFSDCxx. If you code SIGNON=SPECIFIC or SIGNON=NONE, the TCO terminal will not be required to sign on. 6) Why does my TCO script execute even though I didn t put a valid user ID and password sign on in the script? If TCO doesn t sign on or signs on and fails verification and you do not require the TCO terminal to sign on (see above), then RACF will use the IMS control region user ID. If the IMS control region user ID is authorized to do the transaction or command, the script will execute. 7) Why are some of the commands in my TCO script being rejected by RACF even though I have a valid TCO user ID that signs on in the script? If you put a /SIGN OFF at the end of the TCO script, the RACF ACEE for the TCO user ID will be deleted at signoff time. Any time-initiated commands or transactions scheduled to execute at a later time will fail the RACF check. The exception to this is when you do not require the TCO terminal to sign on and the IMS control region is authorized to do the transaction or command. Recommend you do not put /SIGN OFF in the script.
158
159
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
160
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
161
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
162
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
162
163
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
7) 8)
9)
163
164
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
164
165
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
165
166
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
167
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
168
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
168
169
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
170
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
171
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
171
172
w
w
w
w
PD
H F-XC A N GE
PD
H F-XC A N GE
O W !
bu
to
lic
lic
to
bu
N
.c
O W !
w
.d o
.d o
c u-tr a c k
c u-tr a c k
.c
172
173
w
w
w
w