VOLCAT RACF protection
Hi: Regarding RACF protection of VOLCAT (tape volume catalog), I found the following paragraph in IBM DFSMS documentation: < In general, tape users do not require any RACF access authority to the VOLCAT. During job processing, the updates to the VOLCAT are made by authorized system users. However, the VOLCAT still needs a data set profile and should be defined with UACC(NONE). Storage administrators using ISMF should have READ access to STGADMIN.IGG.LIBRARY and IDCAMS users should have an access level to STGADMIN.IGG.LIBRARY appropriate to the function being performed. For the required RACF access level when using IDCAMS, refer to "Required Security Authorization for VOLCAT Operations" in z/OS DFSMS Access Method Services Commands. > How do you understand “authorized system users” in this context? Is it talking about system tasks that don’t even bother to check RACF authority to the VOLCAT? What about, for instance, address spaces like OAM or DFRMM? Don’t they need any RACF authority over the DATASET profile protecting VOLCAT? PD: cross posted to the RACF list Thanks in advance for your help, Juan G. Mautalen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
RACF SERVER Class Activation
Hi: Wecurrently have the RACF SERVER class INACTIVE (I am completely unfamiliar withit, by the way). I was askedto set up security for CICS LIBERTY, and according to the documentation I mustdefine some profiles in the SERVER class. However, I see that SERVER class hasa DEFTRETC=8, and activation of such classes must be carefully planned. How can Iknow what applications, if any, (besides CICS LIBERTY) are making securitycalls in SERVER class, in order to contemplate them before class activation? Doyou know any “standard” z/OS application that make such calls? Should Idefine a backstop ** profile in SERVER class with UACC(READ) to be safe? Does havingsuch a backstop with UACC(READ) differs from our current situation where SERVERis INACTIVE? I know this depends upon how applications making the securitychecks in SERVER class treat the RC=04 code received when the class isinactive…But in the particular case of SERVER class, do applications generallyallow access when receiving RC=04 from RACF? Thanks inadvance for your help, Juan Mautalen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
TELNET under TLS - Performance impact?
Hi! We haveimplemented SECURE TELNET. Our implementation is using AT-TLS (we haveconfigured PAGENT, that installs its AT-TLS policies to the TCPIP stack). Wealso have ICSF up and running, and digital certificates private keys are stored inICSF. Also CPACF coprocessors are available. TLSinvolves both asymmetric and symmetric encryption. The former (basicallyinvolving just the initial handshake process), as far as I know, is performedby the Crypto Express adapters, so it should not have a noticeable impact ongeneral GCPU (general purpose processor CPU) consumption. However, after theinitial handshake, all the traffic is symmetrically encrypted/decrypted, and Iassume it is performed by GCPU (using CPACF extension). Is this right? If that isthe case, what Address Spaces (AS) should I monitor closely to reassure theimpact of TLS TELNET encrypting on GCPU?TELNET?TCPIP?Other? In anycase, do you expect a noticeable impact on GCPU usage by requiring TELNET under TLS? Thanks inadvance for your help, JUAN MAUTALEN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
CPACF usage
Hi! We have CPACF enabled, as shown by HMC. On the other hand, we have configured TN3270 over SSL. It seems to be working fine, because we can succesfully connect from an emulator program to the TELNET secure port and a protocol analyzer (Wireshark, in this case) actually shows that the traffic is indeed encrypted. My question is regarding to CPACF usage: Are CPACF automatically used for SSL instructions (if enabled) or is there something else to be done in order to make them work? We dont have ICSF configured, but it is my understanding that it is not necessary for CPACF exploitation. Thanks in advance for your help, JUAN MAUTALEN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
JCL and date variables
Hi: I have a question regarding JCL and date variables. I need to run a job daily, whose output must be written to a partitionned dataset with a member name referring to the day before job execution. Example: If the job runs today, january 7 of 2014, it must create the member F140106 ( and not F140107). That is because the job processes information from the day before (and not from the day it is indeed running). Is there a way to achieve this purely from JCL? we have z/OS 1.13. Thanks in advance for your help, JUAN MAUTALEN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Console LOGON and SYSPLEX
Hi: We have 2 Lpars in sysplex (z/OS 1.11), say LparA and LparB. Consoles are configured with LOGON(OPTIONAL) on both systems. Each system has its own RACF database. If an operator is already logoned to an LparA console and tries to logon to an LparB console, then logon fails with the following message: CNZ0005I LOGON REJECTED. REASON=USERID ABC123 IN USE ON SYSTEM SYSA CONSOLE MSTRSYSA Is this normal behaviour? Is there any configuration change that can be made to allow the same operator to logon to consoles on both systems at the same time? Thanks in advance for your help, JUAN MAUTALEN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
