Hey, I'm one of those consultants.:) I have performed this conversion more than 50 times for customers, and I can tell you that there are a lot of areas that you need to address. On the other hand, ther eis a good chance (depending on a lot of factors) that it might not really be that hard for you to do yourself once you understand what is involved in the process. The normal conversion steps are very straightforward, and the only really difficult areas are those that were "developed" by the client sites themselves.
Some sites want the conversion to be invisible to the users, which means converting the passwords, and doing that without some interface utilities (which the consultant companies can supply) is difficult, but if the site is willing to tell everyone that they will have to change their password on first use, then that step can be a real non-event. All of the other pieces can be handled with either automated utilities (which again can be supplied by the consultant), or you can do yourself. That process is not really difficult at all and can be performed (mostly) with REXX execs that you can write yourself. If the site is small enough you can probably do it by hand if you're really into typing. The consultant programs will be faster, but only because they already exist. These conversions were performed many times over the years (going both directions to/from RACF) so most of the surprises are out of it until you hit the site-specific stuff. Sites that are solely using the standard SAF interfaces and have not written their own code (or have very little of it) to do "special" stuff, can be converted in a weekend at most. The real rub comes with those sites that have written extensive code (normally in CICS and/or IMS, but sometimes in batch code), that will interface to ACF/2 and Top Secret in some pretty odd ways. There is a well known California Utility company that had batch jobs that would copy parts of the security files and create flat files and in one case a VSAM "database" that was used throughout the day by their application code. In the end with that one I had to write a "black box" program that accepted the calls and would get the information directly from RACF (which is what they should have done with their original code in the first place). Because the time given to us from their programmer's to make the source code changes (which most was just removing all o fit), was something like 87 man years. With the black-box approach we were able to complete the conversion and they will eventually (so day) get around to removing the code from their programs. :) So, without knowing which end of the spectrum that your site sits (the vanilla side of the highly "customized" end), it's hard to give you even an estimate of everything you will need to do. The "good" news is that it's relatively easy to figure out how deeply entrenched into your old security product you are now. Generating the plan to move off it can take a little while, but even the most difficult conversions will be easier with a good plan. Its important to get this right, so you don't want to rush into anything without a plan. Also, I hate to say it, but companies that specialize in conversion to and from RACF will not be a big help for you if there is a lot (or in most cases any) locally written code that does things that you want to keep doing under RACF. In some cases, it may not end up being a big deal because what "used" to be necessary with user written code 20 years ago is normally not necessary any longer in even the current versions of ACF2 or Top Secret, so you might be able to remove some of it by simply doing things the "right" way. Unfortunately, when a lot of modules (in the case of the utility company there were over 2,500 of them in CICS alone) are built to access security incorrectly, it can be a bear to resolve. Application programmers will not be a great help to you in that case because, for the most part, they didn't know what was going on in the first place with the security code, so getting them to remove their old code and replace it (or even if it's just a case of removing the code because RACF will do it without their involvement), is like pulling teeth. If you want to talk to me about this please feel free to contact me offline. I'll help you where I can. Brian ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
