RACF Security - Boot Camp
This comprehensive ten-day 'Boot Camp' course provides an accelerated learning approach to the mainframe RACF security environment. The course is ideal for both Systems Programmers and Security Administrators.
RACF itself is covered in great detail, along with its use with z/OS and UNIX System Services. Overviews of RACF in CICS, WebSphere, Db2 and IBM MQ environments are also included.
The regular, hands-on lab exercises give students the opportunity to try out their newly-gained skills immediately.
On successfully completing this boot camp, attendees will have reached the skill level needed to enable them to efficiently and effectively carry out the tasks required of a systems programmer or security administrator in a z/OS environment.
This course is available for exclusive, one-companyThis course is available for exclusive, one-company presentations either on-site at your location or live over the Internet, via RSM's Virtual Classroom Environment service..
What you will learn
On successful completion of this course you will be able to:
- explain the need for security in business information systems
- describe how RACF meets business information systems security needs
- design a group structure to meet their installation's requirements
- explain & use RACF commands
- describe the effect of the various group profile related parameters
- explain the management and use of the various non-RACF segments in user profiles
- connect users to groups and manage the assigned group authorities
- use the data set related commands to manage both discrete and generic profiles
- manage general resources
- use and explain the operation of the basic setropts management commands
- use and interpret the output of the Data Security Monitor
- use the database unload utility, cross reference utility, remove id utility, database verification utility, database split/merge/extend utility, and the database block update utility
- run and interpret auditing reports
- describe and explain in detail the RACF architecture, its components and facilities
- understand and use the SETROPTS and RVARY command to manipulate the RACF options and database
- use Advanced General Resources classes
- define users to use TSO and SDSF
- define the parameters needed to set up security for JES2
- describe the facilities provided by RRSF
- describe the B1 Security parameters including Security labels, levels and categories
- list what facilities RACF provides for Digital Certificates
- customise RACF to meet the requirements of their organisation and its environment
- describe how RACF interacts with USS, Db2 for z/OS and CICS
- describe and use all of the RACF Utilities
- identify how the operation of RACF changes when running in a parallel sysplex
- describe and explain the IPL process and the security issues associated with facilities such as APF, PPT, System Exits and Linklist
- describe the components of the RACF database
- describe the necessary requirements to implement a secure UNIX System Services environment
- administer file access
- list the RACF UNIX System Services General Resource Classes
- move around the UNIX System Services environment and describe the use of shell
- implement UNIX System Services commands
- use file systems and ACLs
- mount and un-mount HFS files
- understand the use of superuser and UID(0)
- describe Db2 security
- understand terminology used with Db2 security
- describe the necessary requirements to implement a secure RACF CICS environment
- describe how CICS and Db2 security work together
- describe the necessary requirements to implement a secure RACF WebSphere environment
- describe the necessary requirements to implement a RACF MQ application.
Who Should Attend
Systems Programmers and Security Administrators coming new to RACF.
Prerequisites
A firm grounding in the mainframe computing environment, including skills in TSO and JCL.
Duration
10 days
Fee (per attendee)
P.O.A.
This includes free online 24/7 access to course notes.
Hard copy course notes are available on request from rsmshop@rsm.co.uk
at £50.00 plus carriage per set.
Course Code
RABC
Contents
Introduction to RACF
What is RACF?; Why do we need security?; Security in the 'old days'; Security these days; What security do we need?; Where are the dangers?; How can RACF help?; RACF profiles; How RACF operates; The RACF database; Multiple data set database; Resource classes.
z/OS Technical Overview
z/OS controls & drivers; The IPL process; PARMLIB & IPLPARM; Display IPLINFO; LOADxx & IODF; System parameter list IEASYSxx; What is APF?; Defining an APF authorised library; Program Properties Table; Linklist; Dynamic changes; SMFPRMxx; System exits; In-storage profiles; RACLIST & GENLIST; Group tree in storage; ACEE data in memory.
The RACF Database
The RACF database; Database format; Database templates; RACF templates; Issues; Dynamic template objectives; New template support; RACF initialisation; IRRMIN00; Multiple database support; RACF database sharing; The RVARY command; RVARY passwords; RACF FAILSOFT processing; Database backup & recovery.
SETROPTS and RVARY
Basic SETROPTS; Dataset Related parameters; General Related Parameters;InStorage Profile parameters, B1 Security parameters;JES parameters; Userid and Password parameters; AUDIT parameters; SETROPTS command authority; the RVARY command;RVARY Passwords; RACF FAILSOFT processing .
RACF in a Sysplex
Types of Sysplex; basic Sysplex; Parallel Sysplex; RACF and Sysplex; RACF communication; RACF data sharing; RACF data sharing problems; the four Sysplex modes; the RACF database name table; Coupling Facility structures; defining Coupling Facility structures; in-storage profiles; RACLISTed profiles via RACROUTE; in-storage profiles and Sysplex; introducing RACGLIST; RACGLIST and REFRESH; using RACGLIST.
The RACF Manuals
The manual library; RACF Security Administrators' Guide; RACF features; z/OS features; Other products; Related non-RACF manuals; RACF command language reference; BookManager and Adobe pdf.
Planning for Security
The Security Policy; Resource ownership; How to protect resources?; Grouping resources and users; Document the plan.
The RACF Commands
Entering RACF commands; RACF commands and the manuals; Entering RACF commands in batch; Online Help.
RACF Modules
RACF control tables; Modules everywhere!; ICHRDSNT; ICHRRNG; Class Descriptor Table (CDT); Dynamic CDT; Defining a Dynamic CDT; Rules; POSIT values; New segment CDTINFO; CDTINFO options; Managing Dynamic CDTs; Migration Utility (CDT2DYN); ICHRFR01; ICHRIN03; ICHAUTAB; ICHNCV00.
Group Structure
What are Groups?; Why have Groups?; Users and Groups; The initial group structure; The Group Hierarchy; System Special and Group Special; Group Profile ownership; Group connections.
Defining RACF Groups
Group profile commands; Basic ADDGROUP; Specifying the SUPerior GROUP & OWNER; Other ADDGROUP parameters; Non-RACF segments - DFP, z/OS and zVM; Full ADDGROUP syntax; Full ALTGROUP syntax; Full LISTGRP syntax; LISTGRP output; Full DELGROUP syntax; Group command authority; SEARCH command.
Defining Users
User profile commands; Basic ADDUSER; Specifying the default group; Group authority; Class authority; RACF authorities; RACF attributes; Security levels and security categories; Security level checking; Security category checking; Security labels; Other ADDUSER parameters; Non-RACF segments; Full ADDUSER syntax; Basic ALTUSER; ALTUSER-only parameters; Full LISTUSER syntax; LISTUSER output; Full DELUSER syntax; User command authority; Basic PASSWORD; Changing other users' passwords; Full syntax of PASSWORD; Password command authority.
Connecting Users to Groups
Connect and Remove Commands; Basic CONNECT; Full CONNECT Syntax; Basic REMOVE; Full REMOVE Syntax; Connect/Remove command authority.
Defining TSO Users
TSO & RACF; The TSO segment of a user profile; TSO General Resource classes; TSO/E logon screen; TSO administration; Defining TSOPROC class and profiles; Defining ACCTNUM class and profiles; Defining TSOAUTH class (including JCL, CONSOLE,PARMLIB and OPER); When the class is CONSOLE; When the class is OPERCMDS.
Dataset Profiles
Dataset profile commands; Basic ADDSD; Discrete data set profiles; Discrete profile parameters; Generic data set profiles; Generic wildcard characters - %; Generic wildcard characters - *; Generic wildcard characters - **; Specifying data set attributes; Access levels; Auditing access attempts; Profile copying; Security level & category checking; Other profile attributes; Full ADDSD syntax; Basic ALTDSD; ALTDSD-only parameters; Full ALTDSD syntax; Basic LISTDSD; Listing many data set profiles; Listing generic or discrete profiles; Specifying what to list; Full LISTDSD syntax; LISTDSD output; Full DELDSD syntax; Data set command authority; Basic PERMIT; Conditional access lists; Permitting many users access; Removing users and groups; Deleting access lists; Full PERMIT syntax; PERMIT command authority; SETROPTS REFRESH GENERIC(data set); SEARCH command basics; SEARCH control parameters; The FILTER & MASK parameters.
General Resource Profiles
General resource profile commands; Basic RDEFINE; Common RDEFINE parameters; Adding additional profile information; Full RDEFINE syntax; The Started Task Table; Using ICHRIN03; Using the STARTED class; Resource grouping classes; Protecting CICS transactions; Protecting load modules; Basic RALTER; RALTER-only parameters; Full RALTER syntax; Basic RLIST; Common RLIST parameters; Listing Non-RACF segments; Special RLIST features; Full RLIST syntax; RLIST output; Full RDELETE syntax; Remember PERMIT?; General resource command authority; The Global Access Checking table; In-storage profiles; In-storage profile parameters.
Introduction to UNIX System Services
Course agenda; What are 'Open Systems'?; z/OS USS; Benefits of USS; z/OS USS components; z/OS UNIX interfaces; HFS; SAF for z/OS UNIX; USS security with RACF.
Users & Groups
UNIX user definition; Users & Groups; User & Group Profiles; RACF User/Group profile extensions; UNIX identity; RACF commands for Users; RACF commands for Groups; System Resource limits; OMVS segment - additions; The SEARCH command; Security administration.
Superusers & UID/GID Management
User definition - superuser; BPX.SUPERUSER; Switch to superuser mode; Superuser granularity; UNIPRIV resource names; UNIPRIV class; Managing UIDs; Prevention of shared UIDs; Shared UIDs; Prevention of shared UIDs - example; Search enhancement to map UID & GID; Automatic UID/GID assignment.
Application Identity Mapping
Application Identity Mapping.
z/OS UNIX File Security
Directories & files; UNIX file security; Protecting directories & files; Access levels; The File Security Packet (FSP); Reading File Permissions; Basic - file authorisation checking; File Permission - examples; Protecting files; chmod command examples; chown command - change file owner; chmod - change file mode (permissions); Protecting files; File authorisation checking with UNIXPRIV; RESTRICTED attribute; Default file permissions & unmask; List file & directory information.
Access Control Lists (ACLs)
Access Control Lists (ACLs); Three Types of ACL; Two types of Access ACL - base; Two types of Access ACL - extended; Permission Bits & ACLs ; Authority to create ACLs; The getfacl & setfacl commands; getfacl; setfacl; Managing ACLs; getfacl - no ACLs; getfacl - display ACLs for directory; ACL examples; setfacl - change permission bits; ACL examples; ACL inheritance; Directory default ACLs; File default ACLs; getfacl - display all ACLs; UNIXPRIV & ACLs; Authorisation checking - summary; Recommendations.
Security for Daemons & Servers
UNIX level security for Daemons; RACF profiles for daemon security; Server overview; UNIX level security for servers; RACF profiles for server security; Recommendations.
Interpreting Messages
Interpreting ICH4081 messages; Interpreting BPX messages; Interpreting other messages.
RACF & Digital Certificates
Cryptography in Internet applications; Public key cryptography overview; What is a digital certificate?; Public key & certificate; Uses for certificates in applications; Secure Sockets Layer (SSL); Digital certificates and RACF; How RACF uses digital certificates; RACF classes & commands; RACF certification generation; RACDCERT command; Creating a certificate; Gencert examples; Key rings; Certification installation; RACDCERT ADD examples; Certification installation; Certificate management.
Advanced General Resources
The FACILITY Class in general; The HELPDESK function; Setting up the HELPDESK facility classes; Password Reset and List User with the Owner and Group functions; RACF Variables; Using the RACFVARS Class; Using RACF variables; FIELD Level access checking; Using the FIELD class;Delegating TSO Administration; Security for OMVS; Using the CFIELD class; What is a CUSTOM FIELD; RACF Command changes; Define a Custom Field; Activate a Custom Field; Putting data into a Custom Field; Authorisation for CSDATA; RACF Panel changes; RACF Profile segments; OPERATIONS Attribute; DASD volume operations; Access to DASD volumes; DASDVOL profiles; RACF security for TAPES; Tape volume protection; Tape dataset protection: TAPEVOL, BLP.
RACF & JES2/SDSF
RACF & JES2; JES resources protected by RACF; Batch user identification; Userid propagation; Surrogate Job Control; JES Earlyverification; Started Task identification; SETROPTS options for JES; Network Job Entry (NJE); Remote Job Entry (RJE); z/OS security environment; Resource classes for JES security; Securing jobs with RACF; Job input processing; Job submission control; Job validation; JES job input sources; JESINPUT - controlling Port-Of-Entry device names; Job name control; TSO SUBMIT/CANCEL commands; SURROGAT class; Surrogate job submission; Job input processing: PROPCNTL & SECLABEL; Nodes class; NJE security; Controlling transmission to other nodes; Controlling receipt of jobs & sysout; Propagation through NJE; Translation between nodes; RJE/RJP signon & logon security; Controlling output destinations; Spool protection; JES dataset name format; JESPOOL class profiles; Controlling messages; Controlling data transmission; SDSF; SDSF authorised commands; SDSF line & implicit commands.
RACF Remote Sharing Facility
The RACF Remote Sharing Facility; RACF command direction; RACF password synchronisation; managed user associations; controlling RACLINK use; controlling password synchronisation; controlling the AT keyword; automatic RACF command direction; controlling automatic RACF command direction; combined RACF command direction; use of ONLYAT keyword; automatic password synchronisation; controlling automatic password synchronisation; password synchronisation by command; combined RACF command direction; defining RRSF nodes; the RACF subsystem & parameter library; APPC and TCP/IP connections; Using Digital Certificates for RRSF.
Introduction to Db2 Security
Security overview; Sign-on security; Connection security; Db2 internal security; Other options; Security strategy (Transaction Manager or Db2); Security strategy (centralised or decentralised); Using remote applications..
Defining the Db2 Subsystem to RACF
Address space authorisation; Protected access profiles; RACF router table; Db2 address spaces; Permitting RACF access; Protecting Db2 datasets - create profiles; Protecting Db2 datasets - permitting access.
Defining Db2 Objects to RACF
Native Db2 security; Db2 with RACF; RACF / Db2 external security module; Installation; Mapping Db2 authorisation checks; Scope of RACF classes; Multi-subsystem scope classes; Single subsystem scope classes; Customisation; Db2 objects and RACF classes; Profiles; Privileges - buffer pools, storage groups & tablespaces ; Privileges - Db2 system; Privileges - database and schema; Privileges - tables, views, indexes and user-defined functions; Privileges - collection, plan and package; Privileges - distinct types, sequences and stored procedures; Privileges - administrative authorities; Insufficient authority; Migration tools.
CICS Overview
The CICS family; Today's CICS; Product Identifiers; What is CICS?; Terminology; CICS tables; What is a Business Transaction?; What is a CICS task /CICS transaction?; What is a CICS program?; CICS characteristics; On-line processing; IBM CICS Transaction Server for z/OS; Workload management; Access to CICS; Accessing CICS from the Web; CICS Web Support (CWS); CICS Web Services; CICS Web Services support; The IBM client family; IBM CICS Transaction Gateway, Version 7.0; XML support; CICS organisation; Application services; Principal Domains/Management modules; CICS resource definitions; RDO overview; RDO components; The CICS System Definition File; The CICS Global Catalog; Available documentation (RACF related).
Setting up CICS RACF Security
Setting up CICS RACF security; CICS SIT parameters; SIT parameters: typical configuration; Protect the CICS region; User access from a terminal; User signon; Controlling userid propagation; PROPCNTL; Surrogat; Member or grouping class? ; Example of member class profiles; Example of grouping class profiles; How RACF merges profiles; Who has access to STOH?; Setting up CICS RACF security.
IBM MQ Security Overview
Introduction; Non-Queue Sharing Groups; Queue Sharing Groups; IBM MQ security overview.
MQ Access Control and RACF
Connection security; RESLEVEL profile; RESLEVEL & Batch; RESLEVEL and CICS; Reslevel and IMS; Reslevel and Channel Initiator connections; RESLEVEL & IGQ; MQ API security; High Level Qualifiers; MQOPEN & MQPUT1; Queues requiring additional consideration; Model queues; MQADMIN class; API security - userids; How to read UserID tables; Userids - channel security; Receiving channels using TCP/IP; Receiving channels using APPC (LU6.2); Userids - IGQ security; MQ command security - two types; Command security - Userids; Link Level security - SSL.
Overview of WebSphere for z/OS
J2EE; Application Servers; WebSphere Application Server (WAS); Application Servers connect to data or transactions; WebSphere Application Server on z/OS; Execution environment; Connecting through an HTTP server; Connecting directly to WebSphere; Configuration options; Entire configuration kept in HFS; The basic component - Application Server; Nodes - collections of servers; Deployment Manager; Node Agent; The Cell; The Daemon; Key terms; Multiple cells allowed; How do we build it?; The Administrative Console; Security.
WebSphere & J2EE Security Overview
Where do you start?; Security terminology overview; WebSphere security introduction; Confidentiality using SSL; Authentication: Local OS (SAF); Authentication: LDAP; Authentication: Custom User Registry; Authentication: Trust Association Interceptor; Authorisation to servlets and EJBs; RunAS - delegation/surrogacy; Programmatic security -servlet; Programmatic security - EJB; Java Authorization Contract for Containers (JACC); WebSphere and Tivoli Access Manager.
Understanding the RACF Jobs
High-level view of the configuration process; Output of customisation scripts; SSL networked deployment; SSL Keyring; Userids & Groups for the Base App Server; High-level view of the configuration process; Creating the Security Domain; Define Common Group & Userids; CA certificate; EJBROLES; High-level view of the configuration process; Creating the Base AppServer; Define Userids; Assigning Userids to Started Tasks; SSL in base configuration; Keyring for Servant; Keyring for Administrator Client; SSL in base configuration; Access to server; Access to controller; Access to WLM functions; High-level view of the configuration process; Creating the Development Manager; Certificate for the Development Manager; Development Manager profiles; Empty Managed Node.
RACF Utilities
RACF utilities; IRRUT100; IRRUT100 examples: output (Group), output (User); IRRUT200; IRRUT200 example JCL; IRRUT200 example output; IRRUT400; IRRUT400 example JCL; IRRADU00; IRRADU00 example JCL; ICHDSM00; ICHDSM00 example JCL; IRRDBU00; IRRDBU00 example; IRRRID00; IRRRID00 JCL; BLKUPD; IRRBRW00; IRRRID00 JCL; SMF unload utility using XML; ICETOOL; IRRICE package; The Audit Reporting tool.
Auditing RACF
Auditing RACF; Auditor parameters; RACF Report Writer; Basic RACFRW commands; Full RACFRW syntax; Full SELECT syntax; Basic EVENT command; Full EVENT syntax; Full LIST syntax; RACFRW output example; Full SUMMARY syntax; RACF SMF data Unload utility; SMF Unload utility JCL; Using the unloaded RACF SMF data; Processing the RACF SMF data with DB2; Other reporting tools; The Data Security Monitor; The System & Group Tree Reports; Program Properties & Auth Caller Table Reports; Class Descriptor Table & RACF Exits Report; Global Access Table Report; Started Procedures Table Report; Selected User Attribute Reports; Selected Data Sets Report.
Auditing UNIX System Services Security Events
What can be audited; New RACF classes; RACF commands to implement; SMF records; UNIX commands to audit file access; File Security Packet (FSP); UNIX commands to implement auditing; List file & directory information; Setting the auditing option in the FSP; Auditing the superuser; FSP reporting - HFS Unload.
RACF Control Blocks
RACF control blocks; RACF Communications Vector Table (RCVT); Finding the RCVT; Understanding the RCVT; Data in the RCVT; RCVT vs ICB; SAF Vector Table (SAFV); Finding the SAFV; Accessor Environment Element (ACEE); Where's my ACEE?; ASXBSENV; TCBSENV; Local Control Block; Which ACEE is used?; Which ACEE do I need?; Caveat ACEE; Finding the active ACEE; Security Token; Security Token contents; Security Token uses; ACEE versus Token.
RACF Macros
RACF macros; Macro interfaces; The MVS router (SAF); RACF macros; What do they DO?; RACF macros: RACHECK, RACINIT, RACLIST, FRACHECK, RACDEF, RACSTAT; RACROUTE additions; ICHEINTY; The RACROUTE interface; RACROUTE MF= styles; SAF Parameter list (SAFP); Initialising SAFP; SAFP setup; SAF Work Area (SAFW); SAFW setup; History of REQSTOR & SUBSYS; Using REQSTOR & SUBSYS; Setting up REQSTOR and SUBSYS; Other RACROUTE information; The ACEE - AGAIN!; Return codes; REQUEST=Verify; RACINIT ENVIR= options; RACINIT ENVIR=CREATE; Who do you create?; RACINIT STAT=; ENVIR=CREATE ACEE=; Sample user/password=; Sample with PASSCHK=NO; Sample with Token; Create SESSION=; Create with TERMINAL=; POE=; TERMINAL= vs POE=; Sample with POE=; What about IP addresses?; RACINIT ENVIR=DELETE; ENVIR=DELETE ACEE=; Sample DELETE; REQUEST=AUTH; CLASS=; ENTITY/ENTITYX; ENTITY(X) examples; Sample RACHECK.
RACF Exits
RACF exits; RACF exits; RACF exits; ICHRTX00/01; Pre-processing for ICHRTX00; ICHRTX00: input, output; Pre-exit commonalities; Post-exit commonalities; Pre- to post- communication; Work area pointer; From post- to pre-; 'Gotchas' for SVC exits; Need some input; Finding the parameter list; Coding RACF exits; RACF command exit (IRREVX01); What's a 'dynamic exit'?; RACF IRREVX01 dynamic exit; What can you do in the exit?; IRREVX01 parameter list; The exit command buffer; Using the ACEE passed in exit; Testing your command exit; Sample SETPROG command; Dynamic exit security.
Question & Answer Session