SPARTA News

July 2017

SPARTA President’s Corner

contributed by Randy Springs

It’s hard to believe that 2017 is half gone. I think that the days get shorter as we reach retirement age. I am down to three weeks remaining in my full leg cast after knee surgery to repair my patella tendon. At least by staying inside, I’m missing the heat and humidity, but I am ready for the day I am liberated from this extra weight and able to drive and exercise again.

At the bank, we are moving forward to our August production systems data center migration. Lots of testing with special care not to affect the current system in any way. As we always promise in IT, the move should be “transparent” to our employees and customers.

We have a good crowd registered to attend our next meeting to hear Jon Minshew with the NC Department of Information Technology. Please plan to join everyone for subs, networking, and education on Tuesday, July 11 at 6:15 p.m. at our usual LabCorp location.

Randy Springs
BB&T

Future Speakers

(subject to change)

July 11, 2017 (Special Date) - Status of NC IT by Jon Minshew of North Carolina Dept. of IT

Aug. 1, 2017 - TBD

We need ideas and volunteers for future speakers. Presentations don’t have to be fancy, just informative and interesting. Even a 5 or 10 minute talk can start an interesting interaction. Contact Ron Pimblett by phone as noted below.

2017-2018 SPARTA

Board of Directors

Randy Springs - President

BB&T                  (919) 745-5241

3200 Beechleaf Court, Suite 300

Raleigh, NC 27604

Ron Pimblett - Vice President

MDI Data Systems

Land line 613 599 6970

Mobile 613 981 6919

190 Guelph Private

Kanata, ON K2T 0J7

Chris Blackshire - Secretary

Retired (Dell, Perot Systems, Nortel)  (919) nnn-nnnn

street

Durham, NC 27713

Pam Tant - Treasurer

DTS Software Inc.      919-833-8426 x124

4350 Lassiter at N. Hills Avenue

Suite 230

Raleigh, NC 27609

Ed Webb -  Communications Director

SAS Institute Inc.  919-531-4162

SAS Campus Drive

Cary, NC 27513

Mike Lockey -  Web Master

Guilford Co. Information Services  336-641-6235

201 N. Eugene St.

Greensboro, NC 27401

Meetings

Meetings are scheduled for the first Tuesday evening of each month (except no meeting in January), with optional dinner at 6:15 p.m. and the meeting beginning at 7:00 p.m.

These monthly meetings usually are held at LabCorp’s Center for Molecular Biology and Pathology (CMBP) near the Research Triangle Park (see last page). Take I-40 to Miami Boulevard and go north. Turn right onto T.W. Alexander Drive. Go about a mile or so. Then turn right into LabCorp complex and turn Left to the CMBP Building (1912 T.W. Alexander Drive). In the lobby, sign in as a visitor to see Bill Johnson. Bill will escort you to the conference room.

Call for Articles

If you have any ideas for speakers, presentations, newsletter articles, or are interested in taking part in a presentation, PLEASE contact one of the Board of Directors with your suggestions.

Newsletter e-Mailings

The SPARTA policy is to e-mail a monthly notice to our SPARTA-RTP Group. The newsletter is posted to the website about five (5) days before each meeting so you can prepare. The SPARTA-RTP Group is maintained by Chris Blackshire; if you have corrections or problems receiving your meeting notice, contact Chris at chrisbl@nc.rr.com.

March 2017 “CBT Tape” Shareware Online

The directory and files from the latest CBT tape V494 (dated March 5, 2017) are available from www.cbttape.org.

If you need help obtaining one or more files, contact Ed Webb at SAS (see Board of Director’s list for contact info).

Minutes of the June 6, 2017 Meeting

• The meeting was called to order at 7:00 PM by Chris Blackshire standing in for Randy Springs, the SPARTA President.

• The meeting was held at a LabCorp conference room in RTP, N.C.

• Seventeen (17) people were present of which Twelve (12) are 2016/2017 members.

• Everyone introduced themselves, told where they worked, and briefly described their job functions or their job hunting challenges.

• The minutes of the May 2, 2017 meeting were approved as published in the June 2017 newsletter.

• The June 2017 Treasurer's report was approved as read by Pam Tant. The balance was $193.99. (See details later in this newsletter)

OLD BUSINESS

• Call For Articles: Articles are needed for this newsletter. If you would like to write an article for this newsletter, please contact Ed Webb. Keep in mind that you don't really need to write the article, it can be an article that you read that you would like to share with the membership.

• The SPARTA Web page is available. To access the SPARTA Web page, point your Web browser to this site: http://www.spartanc.org. Please send any comments or suggestions about the Web page to Mike Lockey. Be sure to check the Web page every once in a while to see any new or changed information.

• Chris reminded everyone to leave the LabCorp conference room clean.

• Future Speakers and Topics (subject to change based on internal politics, budget, the weather):

If you have suggestions about speakers and topics, contact Ron Pimblett.

• The next SPARTA monthly meeting will be on Tuesday, July 11, 2017 at LabCorp in RTP.

• Food for the July 11 meeting will be subs/sandwiches.

• The 2017 dues ($30) were due starting in February 2017. Please pay Pam Tant.

• Thanks to LabCorp and Bill Johnson for hosting the meeting.

• There are currently 66 people on the SPARTA-RTP e-mail list.

• Send any e-mail address changes to Chris Blackshire so he can update the SPARTA-RTP Listserv. You will be added by the moderator (Chris = SPARTA-RTP-owner@yahoogroups.com) sending you an invitation to Join the list.

NEW BUSINESS

• Not enough people registered for the proposed Durham Bulls group baseball game on Aug 22 as a memorial to Tommy Thomas. The September meeting will be held Sept. 12, 2017 because of the Labor Day holiday. Ed Webb will be presenting about his Rhode Island SHARE conference experiences.

• The Business portion of the meeting ended about 7:40 P.M.

• Presentation:

RACF - The Essentials For Systems Programmers
by Robert S. Hansel of RSH Consulting, Inc.

Introduction to RACF
• Resource Access Control Facility (RACF)
• IBM's Security Software Product for MVS, OS/390, and z/OS
• First introduced in 1976
• Component of IBM's z/OS Security Server
• Comprised of:
- • Database (Primary and Backup Pair)
- -• Profiles -Users, Groups, Datasets, General Resources
• Software
- • Programs
- • Macros -RACROUTE
- • TSO Commands
- • Utilities

RACF Functions
• User Identification and Authentication
• Resource Access Authorization
• Monitor User Activity
• Access Administration

RACF Functions
• RACF is called by a system resource manager (e.g. CICS) whenever a user tries to logon or attempts to access a resource
• RACF determines whether an action is authorized and advises the resource manager to allow or disallow the action
• RACF uses the profiles defined in its database to make these determinations
• The resource manager decides what action to take based on what RACF advises

Profiles and Relationships
- USER ------ GROUP ----------- RESOURCE
---------- CONNECT --------- PERMIT
Batch Job -- (Permit/Alter) --- Dataset
Started Task (Permit/Control -- Dataset
User ------- (Permit/Update) -- Dataset
User ------- (Permit/Read) ----- Dataset
User ------- (Permit/Execute) - Program
User ------- (Permit/None) ----- CICS Transaction

RACF Components
• Database
• Software
• RACF Subsystem
• System Authorization Facility (SAF)

RACF Components - Database
• Primary and optional Backup pair (a database can be multi-dataset)
• Database structure
- • Basic Direct Access Method (BDAM)
- • 4K blocks
- • Sixteen (16) 256-byte segments per block
- -• Profiles are allocated space in contiguous segments
- • A database dataset has a maximum size limit of 2GB
• Database blocks
- • Inventory Control Block (ICB) - SETROPTS Options
- • Index Blocks - Profile location pointers and Application Identify Mapping (AIM)
- • Profile Template Blocks - Profile record layouts
- • Block Availability Mask (BAM) Blocks - identify open segments in each data block
- • Data Blocks - User, Group, Dataset, and General Resource Profiles and Profile Segments (e.g., TSO, CICS, OMVS, STDATA)
• Requires very strict access control (UACC=NONE)

RACF Components - Database - RVARY LIST

Without RACF Sysplex, single database pair ...

RVARY LIST
RACF DATABASE STATUS:
ACTIVE USE NUM VOLUME DATASET
------ ---- --- ------ -------
YES PRIM 1 RACSY4 SYS1.PRIM.RACF
YES BACK 1 RACSY2 SYS1.BKUP.RACF
RVARY COMMAND HAS FINISHED PROCESSING.

With RACF Sysplex data communications and sharing, split database pairs ...

RVARY LIST
RACF DATABASE STATUS:
ACTIVE USE NUM VOLUME DATASET
------ ---- --- ------ -------
YES PRIM 1 SYS907 SYS1.RACFPRD1
YES BACK 1 SYS906 SYS1.RACFBKP1
YES PRIM 2 SYS800 SYS1.RACFPRD2
YES BACK 2 SYS906 SYS1.RACFBKP2
MEMBER PRD1 IS SYSPLEX COMMUNICATIONS ENABLED & IN DATA SHARING MODE.
RVARY COMMAND HAS FINISHED PROCESSING.

RACF Components - Database
• RACF Database allocation
- • Physical Sequential, Unmovable (PSU)
- • Single extent
- • Non-SMS managed
- • Fixed Record Format (RECFM=F)
- • Logical Record Length 4096 (LRECL=4096,BLKSIZE=4096)

RACF Components - Software
• Programs
- • Perform authorization checking (ICH and IRR prefixes)
- • Reside in SYS1.LINKLIB and SYS1.LPALIB
• Tables
• Macros
- • RACROUTE -REQUEST=AUTH, FASTAUTH, VERIFY
- • Independent Macros -RACHECK, FRACHECK, RACINIT
• Supervisor Calls (SVC) -130-133 -Invoked by Macros
• Exits
• TSO and Console Commands
• Utilities

RACF Components - Software - Tables
• RACF Dataset Name Table -ICHRDSNT
- • Defines RACF dataset names, number of resident data blocks (RDBs), backup options, and RACF SysPlex options
• RACF Command Parsing Table -IRRDPI00
- • Provides RACF with instructions for parsing segments entered with commands
- • Built in memory using program IRRDPI00 or TSO command IRRDPI00
- • Loaded at IPL by the RACF address space or a started task (e.g. IRRDPTAB)
- • Reloaded to incorporate CFIELD profile CFDEF segment additions and changes
• Class Descriptor Table (CDT) -ICHRRCDx
- • Defines classes and their characteristics
- • IBM-supplied table -ICHRRCDX
- • Installation-defined table -ICHRRCDE (macro ICHRRCDE)
- • CDT class profiles -Replace or supersede ICHRRCDx entries
• Started Task Table - ICHRIN03
- • Assigns ID, group, PRIVILEGED, and TRUSTED to a Started Task/Procedure
- • STARTED class profiles -Replace or supersede ICHRIN03 entries
• Dataset Range Table - ICHRRNG
- • Defines profile name ranges to be distributed across multiple database datasets
- • Used in combination with multiple database dataset definitions in ICHRDSNT
• Naming Convention Table - ICHNCV00
- • Enables rearranging dataset names
- • Can enforce dataset naming conventions
- • ICHNCONV macro
• RACF Router Table (RRT) -ICHRFRXx
- • IBM-supplied table (pre z/OS 1.6) -ICHRFR0X
- • Installations-defined table -ICHRFR01 (macro ICHRFRTB)
- • Required by RACF pre z/OS 1.6 (prior to the introduction of the CDT class)
- • Only needed for entries specifying RACF=NONE to skip RACF checking (rarely necessary)
• Authorized Callers Table - ICHAUTAB
- • Enables use of RACROUTE REQUEST=LIST and VERIFY without APF-authorization
- • Not recommended

RACF Exits
• ICHRDX01/02 REQUEST=DEFINE (RACDEF) Pre-/Post-Processing
• ICHRIX01/02 REQUEST=VERIFY{X} (RACINIT) Pre-/Post-Processing
• ICHRCX01/02 REQUEST=AUTH (RACHECK) Pre-/Post-Processing
• ICHRFX01-03/02-04 REQUEST=FASTAUTH (FRACHECK) Pre-/Post-Processing
• ICHRLX01/02 REQUEST=LIST (RACLIST) Pre-/Post-Processing
• ICHDEX01/11 Password Encryption
• ICHPWX01/11 New Password / Password Phrase
• ICHCNX00 Command Pre-Processing for ADDSD, ALTDSD, DELDSD, LISTDSD, PERMIT, SEARCH, RLIST, RALTER, RDELETE, and Utility ICHUT100
• ICHCCX00 Command Pre-Processing DELUSER, DELGROUP, REMOVE
• IRREVX01 (Dynamic) Command Pre/Post-Processing
• IRRACX01/02 ACEE Compression/Expansion Pre/Post-Processing
• IRRVAF01 (Dynamic) Custom Field (CFIELD) Validation
• IRRSXT00 SAF Callable Services Router Installation
• ICHRTX00/01 SAF Router Post-/Pre-Master Scheduler Initialization

RACF Components - Software - Commands
- - - - - - - Profile TSO Commands
User Group Dataset General Resource
ADDUSER ADDGROUP ADDSD RDEFINE
ALTUSER ALTGROUP ALTDSD RALTER
DELUSER DELGROUP DELDSD RDELETE
LISTUSER LISTGRP LISTDSD RLIST
PASSWORD
PHRASE
---------------------------------------------------
CONNECT REMOVE | PERMIT

Other TSO Commands Console Commands
SETROPTS IRRDPI00 DISPLAY
RVARY RACDCERT RESTART
SEARCH RACLINK SET
HELP RACMAP STOP TARGET

RACF Components - Software - Utilities
• IRRMIN00 RACF Initialization Utility (also use to update templates)
• IRRIRA00 RACF Internal Reorganize Alias Utility
• IRRUT100 RACF Cross Reference Utility
• IRRUT200 RACF Database Verification Utility (use for backup)
• BLKUPD RACF Block Update Utility (a.k.a. IRRUT300)
• IRRUT400 RACF Database Split/Merge/Extend Utility
• ICHDSM00 RACF Data Security Monitor (a.k.a. DSMON)
• IRRDBU00 RACF Database Unload Utility
• IRRRID00 RACF Remove ID Utility
• IRRADU00 RACF SMF Data Unload Utility
• RACFRW RACF Report Writer
• In environments where multiple z/OS systems share a RACF database, run utilities on the system with the latest z/OS release and maintenance

RACF Components - Software - Utilities
• Unsupported RACF utilities
- • Various programs provided "as is" with no formal support
- • Available via the 'Downloads' link in the 'Resources' tab on the RACF webpage at www.ibm.com/racf
- • Examples:
- -• CDT2DYN - Convert installation ICHRRCDE defined classes to Dynamic CDT profiles
- -• CUTPWHIS - Remove old password history entries (Obsolete with APAR OA43999)
- -• DBSYNC - Builds RACF commands to synchronize databases
- -• IRRHFSU - C program to unload HFS FSPs, like IRRDBU00
- -• IRRXUTIL - REXX programs using the IRRXUTIL R_admin callable service interface
- -• PWDCOPY - Copy cyphered passwords between RACF data bases
- -• RACFDB2 - Migrate DB2 access controls to RACF profiles
- -• RACKILL - Unconditionally deletes profiles
• Detailed instructions included with each utility on website

RACF Components - RACF Subsystem
• Not required for ordinary RACF processing
• Provides support for ...
- • Entry of RACF commands via the console
- • RACF Remote Sharing Facility (RRSF)
- • APPC Persistent Verification (PV)
- • R_admin (IRRSEQ00) callable service
- • Key generation for the Network Authentication Server (IBM Kerberos)
- • Password and password phrase enveloping
- • LDAP event notification
- • SAFTRACE
• Recommend implementation to facilitate recovery by the entry of RACF commands via the console
• Recommend configuring RACF subsystem to load command parsing table IRRDPI00 at IPL

System Authorization Facility (SAF)
• SAF - System Authorization Facility
- • Receives and passes RACROUTE requests to the External Security Manager (e.g., RACF)
- • Issues a SAF Return Code (RC) to accompany the RACF Return Code (RC)
• SAF Exits
- • ICHRTX01 - Pre-MSI (Master Scheduler Initialization)
- • ICHRTX00 - Post-MSI (Master Scheduler Initialization)
- • Can optionally set RC and bypass further checking
- • Not invoked for authorization checks which are made as part of RACF callable service checks

SETROPTS
• SETROPTS -SET RACF OPTIONS
- • Defines system-wide RACF security and auditing options
- • Options reside in RACF Database ICB (Inventory Control Block)
• TSO Command - SETROPTS option-operand(s) | LIST
- • LIST - display options
- • Use of command always logged
• Authority to execute
- • SPECIAL List and set security options only
- • AUDITOR List all options and set auditing options
- • ROAUDIT (z/OS 2.2) List all options
- • Group-AUDITOR List all options
- • OPERCMDS racf-subsystem.SETROPTS Execute commands via the console
- -• READ LIST
- -• UPDATE All other operands
• Setting options on a particular resource class (e.g., TCICSTRN) affects all classes with the same POSIT value

Access Authorization
• RACF determines whether a user is authorized to access a resource at
the requested level of access (e.g., READ) based on resource profiles defined in its database
• Resource Managers use RACF authorization macros to call RACF
- • RACHECK or FRACHECK
- • RACROUTE REQUEST=AUTH or FASTAUTH
- - - RACROUTE REQUEST=AUTH,USERID='GSMITH',ENTITY='$RSH.PRIV',
- - - CLASS='FACILITY',ATTR='READ',LOG=NONE
• RACF sends a Return Code (RC) back to the calling Resource Manager indicating the results of the authorization check
- 0 Authorized
- 4 Not-Protected
- 8 Not-Authorized
• Resource profile types
- • Discrete - Fully qualified resource name match
- • Generic - Partially qualified resource name masking
- • Grouping - Set of dissimilar full and masked resource names
• RACF uses the most specific profile (i.e., closest match to the resource name) for determining access authorization
- • First Discrete, then Generic
- • Generic with most matching non-masking characters, from left to right
- - PAY.PROD.MASTER.EMPLOYEE
- - PAY.PROD.MASTER.* PAY.PROD.MASTER.BKUP
- - PAY.PROD.*.EMPLOYEE
- - PAY.PROD.** PAY.PROD.CHECKS.TAPE
- - PAY.**

***** Profiles are sequenced based on EBCDIC characters rather than ASCII *****

Generic Profiles
• Offer one-to-many relationship of profile to resource protected
• Use masking characters to match multiple resources
• Masking characters -in order of precedence in specificity
- - % Single substitute character
- - * Any set of substitute characters or one qualifier
- - ** Any set of substitute characters, zero or more qualifiers
- • For Datasets, use of ** requires SETROPTS EGN (Enhanced Generic Naming) option be activated
- • Usage and behavior of the masking characters differs based on whether the profile is a Dataset or General Resource
• RACF Variables -defined in the RACFVARS class
- • Have an & prefix (e.g., &RACLNDE) -considered more specific than %, *, or **
- • Can be incorporated into General Resource profiles (e.g., JESSPOOL &RACLNDE.**
- • Are assigned character string values used in matching resource names

Access Authorization Decision Logic (Diagram not copied)

PRIVILEGED and TRUSTED Authority
• Grants unrestricted access to all resources and assigns z/OS UNIX Superuser (uid 0) authority
• Only applies to Started Tasks
- • Assigned via STARTED class profiles or ICHRIN03 table entries
- • Authority is assigned to the task itself, not to its ID
- • Authority does not transfer to batch jobs submitted by the Started Task
• TRUSTED can be logged via UAUDIT or SETROPTS LOGOPTIONS
• TRUSTED should always be used instead of PRIVILEGED
• IBM recommended TRUSTED Started Tasks (1) Optional (2) If using z/OSMF ISPF
- APSWPROx(1) CATALOG CEA(2) DFHSM(1) DFS(1)
- DUMPSRV GPMSERVE(1) HIS IEEVMPCR IOSAS
- IXGLOGR JESn JESXCF JES3AUX LLA
- NFS OMVS(1) RACF RMF RMFGAT
- SMF SMS SMSPDSE1 SMSVSAM(1) TCPIP
- VLF VTAM WLM XCFAS ZFS(1)

DSMON - Started Task Report (not copied)

Global Access Table
• Performance enhancement tool
- • Grants immediate access to resources without checking profiles or logging access
- • Used to grant all users access to common shared resources
• Comprised of GLOBAL class profiles which contain access granting entries
- • GLOBAL class profiles are the names of other classes
- - • RDEF GLOBAL DATASET
- • Entries are defined as GLOBAL profile members
- - • RALT GLOBAL DATASET ADDMEM('CATLG.*'/READ)
- -• Entries
- - • Discrete or Generic -follows generic profile rules for General Resources
- - - • Need not match profile(s) protecting the resource(s)
- - - • For datasets, if not enclosed in quotes, appends user's USERID as the first qualifier
- - - • Access-levels -ALTER | CONTROL | UPDATE | READ | NONE (not EXECUTE)
- - • Use DELMEM to delete entries
• Special Variables -Used in resource names
- • &RACUID Substitute with requesting user's USERID
- • &RACGPID Substitute with requesting user's current connect group

DSMON - Global Access (Table not copied)

• Access Level of NONE to SYS1.RACF.* causes RACF to skip the GAT and check the profile
• Concern: There may be SYS1-prefixed profiles with UACCs less than READ, and the SYS1.* entry would allow access

Profile Not Found
• The Return Code (RC) for a profile "not found" is determined by the CDT
- • DFTRETC parameter 0 | 4 | 8 ( Allow | Not Protected | Deny )
- • DFTRETC=8 Classes ( * -includes grouping class)
- - APPCSERV APPCTP CBIND CONSOLE DCEUUIDS DIRACC DIRAUTH DIRECTRY
- - DIRSRCH FILE FSOBJ FSSEC IPCOBJ JESINPUT JESJOBS JESSPOOL
- - KEYSMSTR MQADMIN* MQCHAN* MQCMDS MQCONN MQNLIST* MQPROC* MQQUEUE*
- - MXADMN* MXNLIST* MXPROC MXQUEUE* MXTOPIC* PROCACT PROCESS PSFMPL
- - RACFHC ROLE SECLABEL SFSCMD SERVER SOMDOBJS* TEMPDSN TMEADMIN
- - WRITER XCSFKEY XFACILIT*
• Calling process decides how to react to Return Code

OPERATIONS Authority
• User and Group-connect attribute
- - LU RSHTEST
- - USER=RSHTEST NAME=RSH RACF TEST ID OWNER=RACFTEST CREATED=09.292
- - ...
- - ATTRIBUTES=OPERATIONS
• Grants ALTER level access when the user has not been permitted access
• Only applies to resources whose classes have been defined with OPER=YES in RACF's Class Descriptor Table (CDT)
• IBM provided classes with OPER=YES -z/OS and z/VM:
- - DATASET DASDVOL DIRECTORY FILE GDASDVOL
- - PSFMPL NETCMDS NETSPAN RODMMGR TAPEVOL
- - VMBATCH VMCMD VMMDISK VMNODE VMRDR
• Can be restricted by explicitly permitting the ID or a connect group of an OPERATIONS user a lower level of access

DSMON - OPERATIONS Authority (List not copied)

Monitoring
• RACF terminology - AUDITING
• Monitoring options can be specified in
- • User profile UAUDIT
- • Resource profile AUDIT(options(access-level)), GLOBALAUDIT(-same-)
- Audit options: SUCCESS, FAILURES, ALL, NONE
- Default: AUDIT(FAILURES(READ)
- • SETROPTS Options AUDIT(class), LOGOPTIONS(level(class))
- Levels: ALWAYS, NEVER, SUCCESSES, FAILURES, DEFAULT
- • RACROUTE Macro LOG= parameter (e.g., AUTH: NONE | NOSTAT | NOFAIL ASIS )
• System AUDITOR authority is required to change most monitoring options
• RACF auditing generates System Management Facilities (SMF) records
- • 80 RACF Processing -Logon and access events
- • 81 RACF Initialization -IPL
- • 83 RACF Audit -Subtypes 1 (Dataset SECLABEL), 2 (EIM), 3 (LDAP), 4 (R-auditx)
- 5 (WebSphere), 6 (TKLM)

Administrative Authorities
• System and Group Authorities
- • SPECIAL Administer RACF profiles, view non-audit options, and set control options
- • AUDITOR View RACF profiles, view all options, and set audit options
- • ROAUDIT (z/OS 2.2) View RACF profiles and view all options -System level only
- • OPERATIONS Access resources, create group datasets, and define group dataset profiles
- • Group authorized limited by "Scope of Groups" (follows profile ownership chain)
• Profile Owner -change, delete profile
• Group Connect Authorities -USE, CREATE, CONNECT, JOIN
• Other Authorities
- • ALTER access to a Discrete profile -change, delete, permit access
- • Class Authorization -CLAUTH(class) -delegate user or resource profile creation
- • FACILITY class IRR profiles -password reset (e.g., IRR.PWRESET.TREE.group)
- • FIELD class profile -delegate profile segment administration (e.g., USER.OMVS.UID)

Troubleshooting Access Problems
• Access violations ordinarily result in the generation of an ICH408I message
- • Messages are suppressed if RACROUTE parameters specify either MSGSUPP=YES or a LOG= option other than ASIS
• ICH408I messages are displayed on the console and in the system log (SYSLOG), and can be viewed via the LOG command in SDSF or with an equivalent product (e.g., IOF or EJES)
- • ICH408I messages appear in the log of the system where the event occurred, and it may be necessary to check the system logs of all systems to find an event
• The violation message displayed to the user is determined by the calling resource manager and may not be as informative as the associated ICH408I message
• RACF messages are listed and explained in the Security Server (RACF)
Messages and Codes manual
• ICH408I Message
- USER(userid) GROUP(group) NAME(user-name) --or -
- JOB(jobname) STEP(stepname) (no ACEE)
- [ SUBMITTER(submitter's-userid)]
- [ resource-name ]
- [ CL(class-name)]
- [ VOL(volser) ] [ FID(file-identifier)] [ID(IPC-identifier)]
- [ reason-for-failure ]
- [ FROM(generic-profile) (G) ]
- [ ACCESS INTENT(access) ACCESS ALLOWED(access)]
- [ EFFECTIVE UID(uid#) ]
- [ EFFECTIVE GID(gid#) ]

- VOL for VSAM files is the volser of the catalog, not its location
- For Member/Grouping classes, only the Member class is shown

• Common reason-for-failure messages
- • INSUFFICIENT ACCESS AUTHORITY
- • DEFINE -INSUFFICIENT AUTHORITY (create dataset)
- • RESOURCE NOT PROTECTED (PROTECTALL)
- • PROFILE NOT FOUND. IT IS REQUIRED FOR AUTHORIZATION CHECKING (DFTRETC=8)
- • WARNING: INSUFFICIENT AUTHORITY -TEMPORARY ACCESS ALLOWED (WARNING)
- • RENAME -INSUFFICIENT AUTHORITY
- • LOGON/JOB INITIATION -
- - • INVALID PASSWORD ENTERED AT TERMINAL terminal-id
- - • EXCESSIVE PASSWORDS OR INACTIVE USER
- - • REVOKED USER ACCESS ATTEMPT
- - • NOT AUTHORIZED TO APPLICATION (APPL)
- - • SUBMITTER NOT AUTHORIZED BY USER (SURROGAT)
- - • NOT AUTHORIZED TO SUBMIT JOB jobname (JESJOBS)

• Sample ICH408I Messages

- ICH408I USER(RSMITH ) GROUP(DEPTJ ) NAME(R.L.SMITH )
FIN.CLIST.CNTL CL(DATASET ) VOL(TSO042)
INSUFFICIENT ACCESS AUTHORITY
FROM FIN.CLIST.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )

- ICH408I USER($FIN01 ) GROUP(#BATCH ) NAME(FIN PROD )
PAY.MASTER.FILE CL(DATASET ) VOL(RSV064)
SUBMITTER(CA7 )
WARNING: INSUFFICIENT AUTHORITY -TEMPORARY ACCESS ALLOWED
FROM PAY.MASTER.*.** (G)
ACCESS INTENT(UPDATE ) ACCESS ALLOWED(READ )

- ICH408I USER(RSHTEST ) GROUP(RSHDFTST) NAME(RSH TEST ID )
LOGON/JOB INITIATION -INVALID PASSWORD ENTERED AT TERMINAL TCP00017

RACF Health Checks
CHECK FUNCTION
RACF_AIM_STAGE Reports if RACF database is not AIM Stage 3
RACF_BATCHALLRACF Verifies the SETROPTS option is active
RACF_CERTIFICATE_EXPIRATION Reports certificates expiring in 90 days
RACF_class_ACTIVE Verifies that the class is active: CFSKEYS, CFSSERV, FACILITY, JESJOBS, JESSPOOL, OPERCMDS, TAPEVOL, TEMPDSN, TSOAUTH, UNIXPRIV
RACF_ENCRYPTION_ALGORITHM Checks password encryption algorithms in use
RACF_GRS_RLN Checks to see if any of the RACF ENQ names are on a GRS resource name exclusion list which changes the scope of the RACF ENQ
RACF_IBMUSER_REVOKED Verifies that the user ID IBMUSER is revoked
RACF_ICHAUTAB_NONLPA Raises a SEV(MED) exception if a non-LPA resident ICHAUTAB is found
RACF_PASSWORD_CONTROLS Checks mixed-case password and invalid password attempts settings
RACF_RRSF_RESOURCES Confirms INMSG and OUTMSG datasets are defined and protected
RACF_SENSITIVE_RESOURCES Looks at the current APF data sets, PARMLIB, the System REXX data sets, LINKLIST, and the RACF database data sets and flags those that are improperly protected
- Are not found on the indicated volume
- Are improperly protected
- - Examines key system general resources
RACF_UNIX_ID Checks for existence of FACILITY BPX.DEFAULT.USER and BPX.UNIQUE.USER
ZOSMIGV1R13_DEFAULT_UNIX_ID

Common Issues and Concerns
• Implementation and Configuration
- • Resource managers not configured to call RACF
- • Inconsistent access controls protecting resources shared by multiple z/OS images
- having separate RACF databases
• Users Controls
- • Stronger password protection not used (KDFAES encryption or Mixed-case)
- • PROTECTED attribute not assigned to Batch and Started Task IDs
- • NOINTERVAL assigned to IDs inappropriately
- • SURROGAT access permission allow non-process users to submit jobs with
- surrogate IDs, especially with high-authority IDs
- • IDs shared by unrelated Started Tasks rather than individual IDs
- • Different types of IDs (e.g., batch, Started Task, FTP, end-user)
- mixed in same groups, especially those granting access
• Resource Protection
- • Generic profile coverage too broad; not sufficiently refined
- • Inappropriate access granted, especially for UACC and ID(*)
- • Excessive use of Started Task TRUSTED authority
- • OPERATIONS authority used instead of storage administrator authority profiles
- • WARNING not monitored or grants use of high powered functions
- • RESTRICTED attribute not used with default or foreign IDs
- • Global Access Table allows access prohibited by resource profiles
• Dataset Protection
- • Tape dataset protection is not active
- • Temporary dataset protection TEMPDSN class is not active
- • BLP and tape dataset protection bypass permissions too liberal
- • Inappropriate ALTER access is granted to catalogs
- • Excessive access granted system datasets, especially UPDATE
- • Erase-on-Scratch is not used
• General Resource Protection
- • Classes are not active
- • RACLIST-required classes not RACLISTed
- • All resources in a class are not protected comprehensively -no ** profile
- • Locally-defined resource classes have OPERATIONS authority access enabled
• Monitoring/Auditing
- • Profile AUDIT options are not set to capture important events (e.g., violations)
- • SETROPTS AUDIT not active for all classes
- • SETROPTS LOGOPTIONS(FAILURES(class)) not set for UNIX classes
- • SETROPTS LOGOPTIONS(SUCCESS(SURROGAT FSSEC)) not set
- • Reporting tools not used effectively
• Administration
- • SPECIAL and AUDITOR assigned too liberally or to process IDs (e.g., Batch)
- • Profiles owned by users instead of groups
- • OPERATIONS not restricted with access exclusion group
- • Group connect, CLAUTH, FIELD, and IRR profiles assigned inappropriately
• Maintenance
- • Entry of RACF commands via console not tested regularly
- • PROGRAM profiles are outdated -reference libraries that are no longer valid and therefore do not protect the program
- • RACF Database not backed up properly or checked regularly for integrity
- • Healthchecks not monitored regularly
- • Resource owners not assigned or involved in granting access
- • No formal Mainframe/RACF security policy or standards exist
- • RACF admin function understaffed and under trained

RACF In Relation To Other Security
• Security Hierarchy (descending)
- • Application Level Security
- • System Software Security
- • RACF
- • z/OS Integrity
- • Software Change Control
- • Physical Security
- • Policies, Standards, and Procedures
• RACF can be circumvented or incapacitated by security failures at other levels

• The presentation ended about 8:45 PM

• Presentation Access - See SPARTA webpage for the complete presentation

• Contact Info:
Robert S. Hansel
RSH Consulting, Inc.
29 Caroline Park
Newton, MA 02468
Phone: 617-969-8211 or 617-969-9050
Email: R.Hansel@rshconsulting.com
LinkedIn: www.linkedin.com/in/roberthansel
Twitter: http://twitter.com/RSH_RACF

• The June 2017 monthly meeting ended about 9:00 PM.

Treasurer’s Report for June 2017

contributed by Pam Tant

The balance in the account is $355.77 as of June 30, 2017.

SPARTA Financial Report
3/01/2017 through 06/30/2017

Items of Interest

SPARTA Schedule and Menu for 2017

contributed by Chris Blackshire

July 11, 2017 - Subs

Aug. 1, 2017 - BarBQ

Sep. 12, 2017 - ?????

Oct. 3, 2017 - Pizza

Nov. 7, 2017 - Chicken

Dec. 5, 2017 - Subs

Updated SHARE App Now Available for iOS and Android

contributed by Ed Webb

SHARE in Providence is August 6-11, 2017. Hotel Reservations and SHARE Registration opportunities are available now. Go to the Event webpage for details.

The SHARE App for iOS and Android has been updated for the Providence conference. Already downloaded the app during the San Jose event? No need to download anything else! The SHARE Providence event should appear on your app home screen. Learn more about the SHARE App here.

Besides details on z/OS 2.3, announced to ship in late September, there are rumors of an update to z System that will be of interest in the next several months.

"SHARE Providence features over 500 educational sessions in a range of topics such as z/OS 2.3, Blockchain, Docker and new Security technologies. Plan to join us in Providence, August 6 -11, 2017 to expand your knowledge and network with hundreds of fellow enterprise IT professionals and industry vendors."

Top 5 Common Mainframe Myths Debunked

contributed by Ed Webb

"A bill has recently passed the U.S. House of Representatives (Modernizing Government Technology or MGT) that calls for updating out of date IT systems and technologies. Should the bill pass through the Senate, it is certain that many installed mainframe systems could be targeted for replacement because of the perceived notion that "old" systems should be replaced with new systems. But that is not necessarily true, according to a recent article that appeared in GCN (Government Computer News) titled, "As the MGT Act Rolls Forward, It's Time to Debunk Mainframe Myths." Written by Compuware's Director of Federal, State and Local Government Solutions, Claire Bailey, the article lists five common myths about the mainframe and systematically shoots huge holes through all of them.

Myth #1: The Mainframe is Legacy

In IT circles, “legacy” is often a pejorative term, referring to technologies that may have paved the way for subsequent standards and platforms but are now obsolete and inefficient. Mainframes are often unfairly lumped in this category.
....

IBM’s modern z13 mainframe offers 300 percent more memory and 100 percent more bandwidth than more traditional servers, making it the most powerful computing system on earth. Smartphones may feel light in our pockets, but brawny back-end engines are still needed to support the massive computing loads generated by mobile."

Intrigued? Read the article by Bob Thomas in enterprise Systems Media.

Claire Bailey's original article, as it appeared in GGN, can be read by clicking here.

The Mainframe Hacker: Tools and Rules

contributed by Ed Webb

Q: "I get it, a few mainframes that were overexposed got hacked. Get the word out, get mainframe shops to start behaving. Isn’t that good enough? Will the “wild west” of distributed computing and the tools that go with and against it become the norm on the mainframe?"

A: "So, to me, in a perfect world—and this is actually probably 10 years out—everything that happens on open systems is going to happen on the mainframe.

Today in a modern enterprise you have IDS [Intrusion Detection Systems]. You have authenticated vulnerability scanners, so products like Qualys and Nessus, they should support this platform [z/OS]. They don’t today. They provide unsupported features with unauthenticated scanning."

Read more in this SHARE blog entry by Reg Harbeck with Phil Young.

Before Migrating to COBOL V5 or V6

contributed by Ed Webb

"The best way to optimize your COBOL programs is to migrate them to the latest version of COBOL, spanning COBOL Version 5 and 6. The first part of that strategy involves roadmap planning.

Initial Steps to Take
Things to Avoid and Learn From
Understand Your Hardware Machines: ARCH and OPT
Determine the Latest Version of COBOL to Which You Are Migrating"

Read the details of this article by Dave Kartzman and Bob Yee at Enterprise Tech Journal here .

Centerbridge Partners to Acquire Syncsort and Vision Solutions

contributed by Ed Webb

From an e-mail from Syncsort received Thursday, July 6:

"We are extremely excited to announce that Centerbridge Partners, a leading private investment firm, has signed a definitive agreement to acquire Syncsort and another Clearlake Capital Group portfolio company, Vision Solutions, a leading provider of business resilience software for IBM Power Systems. Upon completion of the acquisition, Syncsort and Vision will be combined, operating under the Syncsort name and led by Syncsort CEO Josh Rogers.

Vision Solutions has a record of technological innovation on the IBM i and AIX Power Systems platforms. Its software solutions are designed to protect data, minimize downtime and maximize resources for the modern data center as enterprises transform their operations with business resilience, migration and security solutions.

Our combined company will have the backing of Centerbridge, which has approximately $29 billion in capital under management, and Clearlake, which is retaining a significant stake in our expanded company. The extensive resources, relationships and expertise of both investment firms will further accelerate our strategy and enable us to deliver even greater value to our customers and partners."

Syncsort promises more information later.

Humor

Siri's Jokes

contributed by Ed Webb

• Hey Siri - Tell Me a Joke
• I can't. I always forget the punch line.

• Hey Siri - Tell Me a Joke
• If I told you a joke in my language, I'd have to explain it.

Membership Information

Don’t Forget the Next SPARTA Meeting

Special Date: Tuesday, July 11, 2017

7 p.m.

Location: LabCorp in RTP

Take I-40 to Miami Boulevard and go north. Turn right onto 1912 T.W. Alexander Drive. Go about a mile or so. Then turn right into LabCorp complex and turn left to the CMBP Building. In the lobby, sign in as a visitor to see Bill Johnson. Bill will escort you to the conference room. Use 1912 TW Alexander Drive, Durham, NC 27703 in your map app.

Free Food: Subs, Sodas and Tea, Dessert

Program:

Status of NC IT

Speaker: Jon Minshew of NC Dept. of IT

SPARTA News

P.O. Box 13194

Research Triangle Park, NC  27709-3194

First Class Postage

SPARTA Corporate Sponsors: