z/OS Version 1 Release 8 RACF Implementation
An IBM Redbooks publication
Note: This is publication is now archived. For reference only.
Published on 13 February 2007
ISBN-10: 0738489859
ISBN-13: 9780738489858
IBM Form #: SG24-7248-00
Authors: Paul Rogers, Rogerio E. M. Camargo, Gillian Gainsford and Rita Pleus
This IBM Redbooks publication describes the implementation of RACF® in z/OS® Version 1 Release 8. This release continues to deliver industry leadership for security. Improvements have been introduced to further enhance the security-rich environment z/OS users rely on. These enhancements include:
- RACF support for virtual key rings to treat the collection of all the certificates owned by one user ID, including the SITE and CERTAUTH reserved user IDs, as an independent key ring. The use of the CERTAUTH virtual key ring will help to eliminate the need to manually create multiple real key rings for SSL-enabled z/OS client applications such as FTP.
- RACF template extensions allow templates to expand beyond their current 4K size.
- RACF supports the use of passwords longer than eight characters, now called password phrases.
- The RACF access control module exit, DSNXRXAC, has changed substantially with DB2® version 9. A RACF administrators can now define a security rule before an object is created and preserve the rule for a dropped object. In addition, RACF general resources for member and group profiles can be used by an installation to protect multiple DB2 resources with a single RACF profile.
- A new parameter on the IRRUT200 utility tells the utility to activate the backup data set printed to as output. This is accomplished by the utility internally issuing an RVARY ACTIVE for the backup data set after the copy is complete. IRRUT200 and IRRUT400 utilities now check whether their output data sets are active primary or backup RACF data sets on this system.
New RACF health checks are introduced.
- RACF in z/OS V1R8 provides a solution to some functional gaps in the way that change logging of RACF profile updates were reflected in z/OS LDAP, and an enhancement is made to LISTUSER to demonstrate whether password enveloping is enabled for a user.
In addition to describing the new features, this book includes detailed steps for implementing these enhancements. It explains how to configure them for your installation and how to use them to increase the security of your environment.
Chapter 1. RACF Version 1 Release 8
Chapter 2. Password phrase
Chapter 3. Availability improvements for IRRUT200 and IRRUT400
Chapter 4. RACF and the DB2 access control module
Chapter 5. RACF virtual key ring support
Chapter 6. PKI Services
Chapter 7. RACF health checks
Chapter 8. LDAP change logging
Chapter 9. Template and profile extensions