Re: RACF on a Sysplex??

[Jesse 1 Robinson]

Generic profiles had become a standard here years before we cloned the first 
RACF data base. Went so far as to create a still existing usermod to the RACF 
ISPF app that inserts 'Generic' on the main data set profile panels. One would 
have to go out of the way to create a discrete profile. I saw a few over the 
years, but only a handful of dogies.

A discrete profile would be very problematic with a cloned data base. They are 
recognized only by a flag in the VTOC. With generics, cloning is not a major 
effort. BTW, as far as eventual cleanup of unnecessary profile, it doesn't 
really matter very much. What you need to do is make sure that a commonly named 
resource A.B.C has the appropriate access rules in both data bases. That 
matters.  

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Sankaranarayanan, Vignesh
Sent: Friday, May 18, 2018 8:44 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: [EXTERNAL] Re: RACF on a Sysplex??

Hi Skip,

Any scars from not doing so?

– Vignesh
Mainframe Infrastructure

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jesse 1 Robinson
Sent: Saturday 19-May-2018 03:17
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: RACF on a Sysplex??

One sort of obvious point. Before cloning your RACF data base make sure that 
*all* data set profiles are generic. Convert any that are not.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Mark Zelden
Sent: Thursday, May 03, 2018 3:45 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: RACF on a Sysplex??

My client has a mixture of things, but nothing is ever shared with a sandbox 
LPAR - not even
via RRSF "one way".   It really doesn't seem dangerous to do it one way, but I 
still
prefer to isolate things in a sandbox as completely as possible.

One business unit with 2 large sysplexes has separate RACF databases, but RRSF 
keeps things in sync.  Both have sysplex communications enabled in the DSNT and 
CF structures.

Another business unit has one RACF database shared between 2 sysplexes.  MII is 
the integrity manager and SYSZRACF is excluded, so the DB is protected with 
RESERVEs.

Another business unit has a 2 system basic sysplex and is in GRS ring mode, 
RACF DB is shared between both.  I just checked and SYSZRACF is converted to a 
global ENQ.

Another business unit has a prod / devl LPAR (both monoplexes).  They share a 
RACF
DB.  Since there is no GRS ring, the DB is protected with RESERVE.   There is a 
sandbox
version of this business unit also, but it has its own RACF DB.

There are also 2 sandbox parallel sysplexes each with 2 LPARs that are "clones" 
of the first 2 environments I wrote about - one with GRS, the other with MII. 
Both those sysplexes have their own RACF DBs, have sysplex communications 
enabled in the DSNT and CF structures.

Regards,

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS ITIL v3 
Foundation Certified mailto:m...@mzelden.com Mark's MVS Utilities: 
http://www.mzelden.com/mvsutil.html
Systems Programming expert at http://search390.techtarget.com/ateExperts/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: RACF on a Sysplex??

[Sankaranarayanan, Vignesh]

Hi Skip,

Any scars from not doing so?

– Vignesh
Mainframe Infrastructure

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jesse 1 Robinson
Sent: Saturday 19-May-2018 03:17
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: RACF on a Sysplex??

One sort of obvious point. Before cloning your RACF data base make sure that 
*all* data set profiles are generic. Convert any that are not.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Mark Zelden
Sent: Thursday, May 03, 2018 3:45 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: RACF on a Sysplex??

My client has a mixture of things, but nothing is ever shared with a sandbox 
LPAR - not even
via RRSF "one way".   It really doesn't seem dangerous to do it one way, but I 
still
prefer to isolate things in a sandbox as completely as possible.

One business unit with 2 large sysplexes has separate RACF databases, but RRSF 
keeps things in sync.  Both have sysplex communications enabled in the DSNT and 
CF structures.

Another business unit has one RACF database shared between 2 sysplexes.  MII is 
the integrity manager and SYSZRACF is excluded, so the DB is protected with 
RESERVEs.

Another business unit has a 2 system basic sysplex and is in GRS ring mode, 
RACF DB is shared between both.  I just checked and SYSZRACF is converted to a 
global ENQ.

Another business unit has a prod / devl LPAR (both monoplexes).  They share a 
RACF
DB.  Since there is no GRS ring, the DB is protected with RESERVE.   There is a 
sandbox
version of this business unit also, but it has its own RACF DB.

There are also 2 sandbox parallel sysplexes each with 2 LPARs that are "clones" 
of the first 2 environments I wrote about - one with GRS, the other with MII. 
Both those sysplexes have their own RACF DBs, have sysplex communications 
enabled in the DSNT
and CF structures.

Regards,

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS ITIL v3 
Foundation Certified mailto:m...@mzelden.com Mark's MVS Utilities: 
http://www.mzelden.com/mvsutil.html
Systems Programming expert at http://search390.techtarget.com/ateExperts/


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

MARKSANDSPENCER.COM

 Unless otherwise stated above:
Marks and Spencer plc
Registered Office:
Waterside House
35 North Wharf Road
London
W2 1NW

Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know 
and then delete it from your system; you should not copy, disclose, or 
distribute its contents to anyone nor act in reliance on this e-mail, as this 
is prohibited and may be unlawful.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF on a Sysplex??

[Jesse 1 Robinson]

One sort of obvious point. Before cloning your RACF data base make sure that 
*all* data set profiles are generic. Convert any that are not.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Mark Zelden
Sent: Thursday, May 03, 2018 3:45 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: RACF on a Sysplex??

My client has a mixture of things, but nothing is ever shared with a sandbox 
LPAR - not even
via RRSF "one way".   It really doesn't seem dangerous to do it one way, but I 
still
prefer to isolate things in a sandbox as completely as possible.  

One business unit with 2 large sysplexes has separate RACF databases, but RRSF 
keeps things in sync.  Both have sysplex communications enabled in the DSNT and 
CF structures.  

Another business unit has one RACF database shared between 2 sysplexes.  MII is 
the integrity manager and SYSZRACF is excluded, so the DB is protected with 
RESERVEs.

Another business unit has a 2 system basic sysplex and is in GRS ring mode, 
RACF DB is shared between both.  I just checked and SYSZRACF is converted to a 
global ENQ. 

Another business unit has a prod / devl LPAR (both monoplexes).  They share a 
RACF
DB.  Since there is no GRS ring, the DB is protected with RESERVE.   There is a 
sandbox
version of this business unit also, but it has its own RACF DB.   

There are also 2 sandbox parallel sysplexes each with 2 LPARs that are "clones" 
of the first 2 environments I wrote about - one with GRS, the other with MII. 
Both those sysplexes have their own RACF DBs, have sysplex communications 
enabled in the DSNT
and CF structures.

Regards,

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS ITIL v3 
Foundation Certified mailto:m...@mzelden.com Mark's MVS Utilities: 
http://www.mzelden.com/mvsutil.html
Systems Programming expert at http://search390.techtarget.com/ateExperts/


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF on a Sysplex??

[Mark Zelden]

My client has a mixture of things, but nothing is ever shared with a sandbox 
LPAR - not even
via RRSF "one way".   It really doesn't seem dangerous to do it one way, but I 
still
prefer to isolate things in a sandbox as completely as possible.  

One business unit with 2 large sysplexes has separate RACF databases, but RRSF 
keeps
things in sync.  Both have sysplex communications enabled in the DSNT and CF 
structures.  

Another business unit has one RACF database shared between 2 sysplexes.  MII is 
the
integrity manager and SYSZRACF is excluded, so the DB is protected with 
RESERVEs.

Another business unit has a 2 system basic sysplex and is in GRS ring mode, 
RACF DB is 
shared between both.  I just checked and SYSZRACF is converted to a global ENQ. 

Another business unit has a prod / devl LPAR (both monoplexes).  They share a 
RACF
DB.  Since there is no GRS ring, the DB is protected with RESERVE.   There is a 
sandbox
version of this business unit also, but it has its own RACF DB.   

There are also 2 sandbox parallel sysplexes each with 2 LPARs that are "clones" 
of the
first 2 environments I wrote about - one with GRS, the other with MII. Both 
those sysplexes
have their own RACF DBs, have sysplex communications enabled in the DSNT
and CF structures.

Regards,

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS
ITIL v3 Foundation Certified
mailto:m...@mzelden.com
Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html
Systems Programming expert at http://search390.techtarget.com/ateExperts/
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF on a Sysplex??

[Elardus Engelbrecht]

fred glenlake wrote:

>We are going from one production lpar and one test lpar to two sysplexs, one 
>plex for production, one plex for test.   Currently the RACF databases are 
>shared (yeah not ideal) but they will be split (prod and test on their own 
>databases) once we are sysplexed.
>In preparation for the split and the new sysplexes I want to split up the 
>databases ahead of time.   I am new to sysplexes so excuse the silly questions.
>Currently my primary and backup RACF databases are on DASD, shared DASD 
>between prod and test.   I am going to move them to non-shared DASD so prod 
>has its own databases and test has its own.   In a Sysplex should the RACF 
>databases still reside on DASD that both sides of the sysplexes share (so both 
>prod lpars in the plex) or should they reside in the coupling facility or ??

Wait a moment please. First thing first - Do NOT share any RACF DBs across two 
or more Sysplexes. 

Ensure one and each Sysplex has its own set of RACF DBs. Each LPARs inside the 
Sysplex can share that RACF DB or just use its own RACF DB. I recommend that 
ONE RACF DB is used by all LPARs inside a Sysplex.

From what you said, I believe the safest way is - Make an exact copy of the 
RACF DBs to be used on the other Sysplex.

Say you have two RACF DBs (Primary and Backup) on Volser A and B. Copy them to 
Volser C and D and ensure that one Sysplex is using A and B and another Sysplex 
is using C and D.

In this way you can have 'prod has its own databases and test has its own.'

Then when everything is fine and you have IPLed and verified each Sysplex is 
using its own RACF DBs, now you can get rid of unneeded profiles as needed.

About 'splitting' - IBM is using the word 'splitting' for RACF DB in another, 
but strange way. Let me explain.

In your way of 'splitting', do not use IRRUT400 to do a 'split'. That type of 
'split' by using IRRUT400 is just to spread out your profiles amongst more than 
one datasets inside a RACF DB, but all these datasets are used as ONE RACF DB 
(inside a Sysplex). That type of split is more for performance and resizing.

In your scenario, the only way to 'split' is to make identical copy and then at 
each Sysplex, you can get rid of unneeded profiles from a LPAR inside that 
Sysplex. Say you have ids Prod1 and Test1 on both copies. Now you delete Prod1 
on the test Sysplex RACF DB and also delete Test1 on the Prod RACF DB.

When everything is in order and you can verify each Sysplex has its own RACF 
DBs, then you can setup your XCF so the XCF structures can be used. If you need 
guidance, please e-mail me privately or you can post on RACF-L for more 
guidance.


>Are there any tools that will help me get to my end state, split up the 
>databases, report on the databases, etc.??   Normally I just use the RACF 
>utilities ICH* but perhaps other sites use different tools I could look 
>into.

zSecure (and Vanguard) can help you there, but to do make copies and setting up 
the ICHRDSNT and other modules, you need RACF utilities like IRRMIN00 (for 
templates), IRRUT200 (for making exact copies), IRRUT400 (to re-org the RACF DB 
indexes during copy), IRRDBU00 (for RACF DB unloads and reporting).

Just ensure that all Volsers used by RACF are Non-SMS Volsers (DSORG=PSU) and 
of course not shared by both Sysplexes. 

For clarification:
I have two Sysplexes. Prod and Sandbox. Each Sysplex has numerous LPARs, but 
each Sysplex has its own RACF DBs (Primary and Backup). These sets are on 
different Non-SMS Volsers and are not shared amongst the Sysplex. Each Sysplex 
RACF DBs are cataloged in its own Sysplex Master Catalogs. Each Sysplex has its 
own ICHRDSNT module.

Think about 'isolating' or think about putting each Sysplex in separate prison 
cells where nothing is shared at all and you're a heavy handed guard taking no 
bribes at all. ;-)


>Any suggestions, comments are most welcome.

Post your questions on RACF-L. I'll check you out there. ;-)

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF on a Sysplex??

[Allan Staller]

I would do the split post sysplex.

Make a copy of production to be used by the test sysplex.
Get to the two sysplex mode.
Then do the cleanup.

Remember, you scope of sharing is SYSPLEX. Do not cross sysplex boundaries. You 
will (most likely) be very sorry if you do.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of fred glenlake
Sent: Thursday, May 3, 2018 11:19 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: RACF on a Sysplex??

Hello,

We are going from one production lpar and one test lpar to two sysplexs, one 
plex for production, one plex for test.   Currently the RACF databases are 
shared (yeah not ideal) but they will be split (prod and test on their own 
databases) once we are sysplexed.

In preparation for the split and the new sysplexes I want to split up the 
databases ahead of time.   I am new to sysplexes so excuse the silly questions.

Currently my primary and backup RACF databases are on DASD, shared DASD between 
prod and test.   I am going to move them to non-shared DASD so prod has its own 
databases and test has its own.   In a Sysplex should the RACF databases still 
reside on DASD that both sides of the sysplexes share (so both prod lpars in 
the plex) or should they reside in the coupling facility or ??

Are there any tools that will help me get to my end state, split up the 
databases, report on the databases, etc.??   Normally I just use the RACF 
utilities ICH* but perhaps other sites use different tools I could look 
into.

Any suggestions, comments are most welcome.

FredG.


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::
--
The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.
--

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF on a Sysplex??

[Lizette Koehler]

If you have not joined, there is a RACF List that you might like to also ask
this question.

To join, if you have not done so, go to this URL

RACFhttp://www.listserv.uga.edu/archives/racf-l.html

Lizette


> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of
> fred glenlake
> Sent: Thursday, May 03, 2018 9:19 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: RACF on a Sysplex??
> 
> Hello,
> 
> We are going from one production lpar and one test lpar to two sysplexs, one
> plex for production, one plex for test.   Currently the RACF databases are
> shared (yeah not ideal) but they will be split (prod and test on their own
> databases) once we are sysplexed.
> 
> In preparation for the split and the new sysplexes I want to split up the
> databases ahead of time.   I am new to sysplexes so excuse the silly
> questions.
> 
> Currently my primary and backup RACF databases are on DASD, shared DASD
> between prod and test.   I am going to move them to non-shared DASD so prod
> has its own databases and test has its own.   In a Sysplex should the RACF
> databases still reside on DASD that both sides of the sysplexes share (so
> both prod lpars in the plex) or should they reside in the coupling facility
> or ??
> 
> Are there any tools that will help me get to my end state, split up the
> databases, report on the databases, etc.??   Normally I just use the RACF
> utilities ICH* but perhaps other sites use different tools I could look
> into.
> 
> Any suggestions, comments are most welcome.
> 
> FredG.
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN