(If you don't use RACF, feel free to ignore this message.)
In z/OS R10 we implemented some new RACF checks in the Health Checker for
z/OS to warn you if you have any entries in ICHAUTAB, the RACF Authorized
Caller Table.
For those not familiar with ICHAUTAB, it's a very old RACF facility that
you can use to allow non-authorized (neither APF, supervisor state, nor
system key) programs to issue some forms of RACROUTE REQUEST=VERIFY and
RACROUTE REQUEST=LIST. However, as we document it's dangerous to use
ICHAUTAB, and we recommend not using it, so we decided that we should
implement the check for entries in ICHAUTAB and warn you about them.
Ideally, I would like to completely remove ICHAUTAB processing from RACF,
and simply require that all invokers of the RACROUTE REQUEST=VERIFY and
LIST functions run with authorization (APF, supervisor state, or system
key). So I thought I'd conduct a bit of research to see who, if anyone,
is using it and why. This should help us gauge the consequences of
removing ICHAUTAB, should we decide to do so in some future z/OS release.
So, if you use RACF and have any entries in ICHAUTAB, I'd like you to send
me an email describing the entries that you have and why you need them.
Please send the responses to me ( mailto: [EMAIL PROTECTED] ), not to
IBM-MAIN. Depending on the responses I may make further requests or
provide some feedback to the list.
I've also posted this on RACF-L. Apologies in advance to those of you on
both lists who will see this twice, and to those of you on IBM-MAIN who do
not use RACF.
Thanks,
Walt
------------------------------------------------------------------
Walter Farrell/Poughkeepsie/[EMAIL PROTECTED]
STSM, z/OS Security Design
845-435-7750 (tie: 295)
e-mail: [EMAIL PROTECTED]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
