DFSMSHSM TAPESECURITY(RACF)
Hello dear experts. I have a customer who is considering using HSM (never used HSM before). We are trying to understand if when using TAPESECURITY(RACF) option of HSM We also have to add manually each HSM VOLSER into the RACF TAPEVOL HSMABR profile. We are getting mixed and confusing messages from HSM. Reading the books make us think that this is should be done automatically by HSM. Are we missing something obvious ? Thanks for any tips and clarifications, Arye Shemer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: DFSMSHSM TAPESECURITY(RACF)
Could you state what version of z/OS you are running? And what are you looking to do with TAPESECURITY for DFSMShsm? Why do you want to use this? Lizette > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Arye Shemer > Sent: Wednesday, November 27, 2013 8:05 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: DFSMSHSM TAPESECURITY(RACF) > > Hello dear experts. > > I have a customer who is considering using HSM (never used HSM before). > > We are trying to understand if when using TAPESECURITY(RACF) option of HSM > > We also have to add manually each HSM VOLSER into the RACF TAPEVOL > HSMABR profile. > > We are getting mixed and confusing messages from HSM. > > Reading the books make us think that this is should be done automatically by HSM. > > Are we missing something obvious ? > > Thanks for any tips and clarifications, > > Arye Shemer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: DFSMSHSM TAPESECURITY(RACF)
At our customers' sites that use HSM, we use TAPESECURITY(EXPIRATIONINCLUDE)) and let the tape management system (CA-1) handle tape security issues in conjunction with normal RACF dataset protection. None of the HSM volsers are entered into RACF. Making HSM an External Data Manager to CA-1 handles the expiration issues. :>: -Original Message- :>: From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On :>: Behalf Of Arye Shemer :>: Sent: Wednesday, November 27, 2013 7:05 AM :>: To: IBM-MAIN@LISTSERV.UA.EDU :>: Subject: DFSMSHSM TAPESECURITY(RACF) :>: :>: Hello dear experts. :>: :>: I have a customer who is considering using HSM (never used HSM before). :>: :>: We are trying to understand if when using TAPESECURITY(RACF) option of :>: HSM :>: :>: We also have to add manually each HSM VOLSER into the RACF TAPEVOL :>: HSMABR :>: profile. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: DFSMSHSM TAPESECURITY(RACF)
Thank you for the suggestions and the willing to share your experience. 1. level of Operating System is z/OS 1.13. 2. The customer is not yet determine how he wants to set up the security in his HSM He intial request was to take the strictest security method HSM provide (TAPESECURITY(RACF)). After some thoughts and discussion he seems to prefer that his tape managemnet system (CNTL-T) would take care of the security (as suggested here on the thread). On 27 November 2013 20:48, retired mainframer wrote: > At our customers' sites that use HSM, we use > TAPESECURITY(EXPIRATIONINCLUDE)) and let the tape management system (CA-1) > handle tape security issues in conjunction with normal RACF dataset > protection. None of the HSM volsers are entered into RACF. Making HSM an > External Data Manager to CA-1 handles the expiration issues. > > :>: -Original Message- > :>: From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On > :>: Behalf Of Arye Shemer > :>: Sent: Wednesday, November 27, 2013 7:05 AM > :>: To: IBM-MAIN@LISTSERV.UA.EDU > :>: Subject: DFSMSHSM TAPESECURITY(RACF) > :>: > :>: Hello dear experts. > :>: > :>: I have a customer who is considering using HSM (never used HSM before). > :>: > :>: We are trying to understand if when using TAPESECURITY(RACF) option of > :>: HSM > :>: > :>: We also have to add manually each HSM VOLSER into the RACF TAPEVOL > :>: HSMABR > :>: profile. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: DFSMSHSM TAPESECURITY(RACF)
Arye Shemer wrote: >He intial request was to take the strictest security method HSM provide > (TAPESECURITY(RACF)). What we're using: SETSYS NORACFIND SETSYS TAPESECURITY(RACF) SETSYS NOERASEONSCRATCH SETSYS NOPROFILEBACKUP These settings are practical for us with good security. YMMV. >After some thoughts and discussion he seems to prefer that his tape managemnet >system (CNTL-T) would take care of the security (as suggested here on the >thread). Are you referring to Control-T? If so, yes, using tape management for security is a good idea. You will need some profiles in FACILITY class to turn on security as well some exits. Just remember these things in RACF: TAPEDSN and TAPEVOL. How many volsers do you have? This will determine on how you define profiles in TAPEVOL. Are you using VTS or physical cartridges? Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: DFSMSHSM TAPESECURITY(RACF)
Thank you Elardus, Yes, i meant Control-T. We are using physical cartridges no VTS. Thanks for your suggestions and for sharing your settings. Best regards, Arye Shemer On 28 November 2013 08:07, Elardus Engelbrecht < elardus.engelbre...@sita.co.za> wrote: > Arye Shemer wrote: > > >He intial request was to take the strictest security method HSM > provide (TAPESECURITY(RACF)). > > What we're using: > > SETSYS NORACFIND > SETSYS TAPESECURITY(RACF) > SETSYS NOERASEONSCRATCH > SETSYS NOPROFILEBACKUP > > These settings are practical for us with good security. YMMV. > > >After some thoughts and discussion he seems to prefer that his tape > managemnet system (CNTL-T) would take care of the security (as suggested > here on the thread). > > Are you referring to Control-T? If so, yes, using tape management for > security is a good idea. You will need some profiles in FACILITY class to > turn on security as well some exits. Just remember these things in RACF: > TAPEDSN and TAPEVOL. > > How many volsers do you have? This will determine on how you define > profiles in TAPEVOL. Are you using VTS or physical cartridges? > > Groete / Greetings > Elardus Engelbrecht > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: DFSMSHSM TAPESECURITY(RACF)
Arye, In general, if you value the data that hsm has placed on tape, you should ensure that the data is protected. This means there has to be some RACF profile (or equivalent) protecting the volume or the data, and the system (or some other involved party) has to make the RACROUTE call to check the person opening the data set on the tape volume is authorized to do so. I would always recommend you protect hsm tapes. Depending on your security product this might be TAPEVOL profles or DATASET profiles or even a combination. The choices for protecting hsm tapes are given in the hsm books, where it even describes when hsm will automatically protect its own tapes using TAPEVOL profiles. Some tape management products, such as CA-1, have options to control if security checks are issued - If you are not using RACF TAPEDSN option, or RACF TAPEVOL class you need to look at this. z/OS also has a DEVSUPxx option TAPEAUTHDSN which is described in the z/OS Init & Tuning guide. Remember that hsm runs with OPERATIONS and PRIVLEGED - so gains access to anyone elses data if it tries.. So you tape management system has to ensure complete 44 character dsname checking. I would also check if your tape management system issues RACROUTE checks for 'EDMs' and also does full 44 character dsname checking. It is not straightforward, but well worth doing and getting correct. Mike Wood - rmm expert and tape management & security consultant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
