Re: RACF Stop/Start?

Wed, 14 Sep 2005 04:46:17 -0700 

On 9/13/2005 11:08 PM, Leonard Woren wrote:

On Tue, Sep 13, 2005 at 02:24:59PM -0500, McKown, John ([EMAIL PROTECTED]) 
wrote:


Your auditor is likely used to an ACF2 or TopSecret shop. If the ACF2 or
TSS started task is not running, then your security system is down and
things are nasty (I've done that too, I'm old and made many mistakes
over the years). RACF does not have this vulnerability.



Seriously, that's a feature, not a "vulnerability".  Trying to fix
things when your RACF db is broken is damn near impossible.  Trying
to fix things when your ACF2 db is broken is just really aggravating.
There's a 2 orders of magnitude difference there.

Caveat:  The above is based on my experience with having been in both
situations, but long ago.  However, I have not heard anything since
which would lead me to believe that anything has changed.

With ACF2, you can stop the address space, fix the db, restart the
address space and you're running normally again.  Can this be done
with RACF?
With RACF you generally don't have to "stop" anything. If the primary has suffered a failure, you have a backup and can simply RVARY SWITCH (possibly after also doing a V xxx,OFFLINE,FORCE if necessary to box the device the primary is on).
Or, if the administrator has hosed things up with an ill-advised command you can RVARY INACTIVE, which puts you into failsoft, and the administrator or system programmer can restore a recent backup. Then RVARY ACTIVE and you're going again.
In -my- experience, such problems are exceedingly rare, but relatively simple to cope with, if you have a good strategy in place (active primary/backup DBs, and good backups (nightly, if possible).
With ACF2, you can stop it and restart immediately pointing to an alternate db with a different name on a different 
volume.  Can you do this with RACF?
You cannot point to a DB of a different name, but you can inactivate the current DB, rename another one to the same name, and reactivate it immediately.
You also have a backup DB that you an switch to with one command and possibly one operator reply. 


        Walt Farrell, CISSP
        z/OS Security Design, IBM

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Reply via email to