VOLCAT RACF protection

2021-10-05 Thread Juan Mautalen
Hi:

Regarding RACF protection of VOLCAT (tape volume catalog), I found the 
following paragraph in IBM DFSMS documentation:

<
In general, tape users do not require any RACF access authority to the VOLCAT. 
During job processing, the updates to the VOLCAT are made by authorized system 
users. However, the VOLCAT still needs a data set profile and should be defined 
with UACC(NONE). Storage administrators using ISMF should have READ access to 
STGADMIN.IGG.LIBRARY and IDCAMS users should have an access level to 
STGADMIN.IGG.LIBRARY appropriate to the function being performed. For the 
required RACF access level when using IDCAMS, refer to "Required Security 
Authorization for VOLCAT Operations" in z/OS DFSMS Access Method Services 
Commands.
>

How do you understand “authorized system users” in this context?
Is it talking about system tasks that don’t even bother to check RACF authority 
to the VOLCAT?

What about, for instance, address spaces like OAM or DFRMM?
Don’t they need any RACF authority over the DATASET profile protecting VOLCAT?

PD: cross posted to the RACF list

Thanks in advance for your help,

Juan G. Mautalen

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


RACF SERVER Class Activation

2019-01-09 Thread Juan Mautalen
Hi:

 

Wecurrently have the RACF SERVER class INACTIVE (I am completely unfamiliar 
withit, by the way).

I was askedto set up security for CICS LIBERTY, and according to the 
documentation I mustdefine some profiles in the SERVER class. However, I see 
that SERVER class hasa DEFTRETC=8, and activation of such classes must be 
carefully planned.

How can Iknow what applications, if any, (besides CICS LIBERTY) are making 
securitycalls in SERVER class, in order to contemplate them before class 
activation? Doyou know any “standard” z/OS application that make such calls?

Should Idefine a backstop ** profile in SERVER class with UACC(READ) to be safe?

Does havingsuch a backstop with UACC(READ) differs from our current situation 
where SERVERis INACTIVE? I know this depends upon how applications making the 
securitychecks in SERVER class treat the RC=04 code received when the class 
isinactive…But in the particular case of SERVER class, do applications 
generallyallow access when receiving RC=04 from RACF?

 
Thanks inadvance for your help,

Juan Mautalen

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


TELNET under TLS - Performance impact?

2018-12-10 Thread Juan Mautalen
 
Hi!

We haveimplemented SECURE TELNET. Our implementation is using AT-TLS (we 
haveconfigured PAGENT, that installs its AT-TLS policies to the TCPIP stack). 
Wealso have ICSF up and running, and digital certificates private keys are 
stored inICSF. Also CPACF coprocessors are available.


TLSinvolves both asymmetric and symmetric encryption. The former 
(basicallyinvolving just the initial handshake process), as far as I know, is 
performedby the Crypto Express adapters, so it should not have a noticeable 
impact ongeneral GCPU (general purpose processor CPU) consumption. However, 
after theinitial handshake, all the traffic is symmetrically 
encrypted/decrypted, and Iassume it is performed by GCPU (using CPACF 
extension). Is this right?

If that isthe case, what Address Spaces (AS) should I monitor closely to 
reassure theimpact of TLS TELNET encrypting on GCPU?TELNET?TCPIP?Other?
In anycase, do you expect a noticeable impact on GCPU usage by requiring TELNET 
under TLS?

 

Thanks inadvance for your help,

 

JUAN MAUTALEN

  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


CPACF usage

2014-10-31 Thread Juan Mautalen
Hi!
 
We have CPACF enabled, as shown by HMC. On the other hand, we have configured 
TN3270 over SSL. It seems to be working fine, because we can succesfully 
connect from an emulator program to the TELNET secure port and a protocol 
analyzer (Wireshark, in this case) actually shows that the traffic is indeed 
encrypted. My question is regarding to CPACF usage:
Are CPACF automatically used for SSL instructions (if enabled) or is there 
something else to be done in order to make them work? We dont have ICSF 
configured, but it is my understanding that it is not necessary for CPACF 
exploitation.
 
Thanks in advance for your help,
 
 
JUAN MAUTALEN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


JCL and date variables

2014-01-07 Thread Juan Mautalen
Hi:
 
I have a question regarding JCL and date variables. I need to run a job daily, 
whose output must be written to a partitionned dataset with a member name 
referring to the day before job execution.
 
Example:
If the job runs today, january 7 of 2014, it must create the member F140106 ( 
and not F140107). That is because the job processes information from the day 
before (and not from the day it is indeed running).
 
Is there a way to achieve this purely from JCL? we have z/OS 1.13.
 
Thanks in advance for your help,
 
JUAN MAUTALEN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Console LOGON and SYSPLEX

2012-09-13 Thread Juan Mautalen
Hi:

We have 2 Lpars in sysplex (z/OS 1.11), say LparA and LparB. Consoles are 
configured with LOGON(OPTIONAL) on both systems. Each system has its own RACF 
database.

If an operator is already logoned to an LparA console and tries to logon to an 
LparB console, then logon fails with the following message:

CNZ0005I LOGON REJECTED. REASON=USERID ABC123 IN USE ON SYSTEM SYSA 
CONSOLE MSTRSYSA   

Is this normal behaviour?
Is there any configuration change that can be made to allow the same operator 
to logon to consoles on both systems at the same time?

Thanks in advance for your help,

JUAN MAUTALEN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN