You are on page 1of 173

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

Part 1: IMS SECURITY BASICS Part 2: SMU CONVERSION
Maida Snapper, IMS Specialist, IBM maidalee@us.ibm.com

o

m

w
w

w
w

1

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

Disclaimer
© Copyright IBM Corporation [current year]. All rights reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “ AS IS”WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’ S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING ANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCTS AND/OR SOFTWARE.

IBM, the IBM logo, ibm.com, DB2, CICS, RACF and IMS are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™ ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “ Copyright and trademark information”at www.ibm.com/legal/copytrade.shtml Other company, product, or service names may be trademarks or service marks of others.

1

o

m

w
w

w
w

2

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

Click to edit Master title style

PART 1: SECURITY BASICS

2

o

m

w
w

w
w

3

d o c u-tr a c k c u-tr a c k .c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o . 3 o m w w w w 4 .c Develop an IMS Security Strategy § Which IMS resources need protection § What protection do they need § Who can access them § What security facilities will be used Ø There is often more than one way to protect a given resource.

c Which Resources Need Protection § IMS application (CTL.c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . segments) § Dependent regions and connection threads § Coupling Facility structures § IMSPlex § XCF group 4 o m w w w w 5 .d o w o . etc) § Transactions § Commands § Terminals § PSBs § Datasets § Databases (records.d o c u-tr a c k c u-tr a c k . fields. DL/I.

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .d o w o .d o c u-tr a c k c u-tr a c k .c Security Facilities § IMS default security § Program Specification Block (PSB) § Encryption § VSAM password protection § Application-based security § Physical security § RACF (or other SAF product) § Exits 5 o m w w w w 6 .

d o w o .c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .c Security Facilities –IMS Default Security IMS default security § Exits § Program Specification Block (PSB) § Encryption § VSAM password protection § Application-based security § Physical security § RACF (or other SAF product) 6 o m w w w w 7 .

d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Security Facilities .d o c u-tr a c k c u-tr a c k .c O W ! w .IMS Default Security § Limits commands from sources other than IMS Master and TCO § Applies only to IMS type-1 commands § Is based on command source of entry § Is what you get when you do not specify a command security option for commands entered from that source § Is not optional can only be deactivated by specifying command security for commands entered from that source IMS V10 Command Reference Volume 1 7 o m w w w w 8 .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Security Facilities –IMS Default Security Commands allowed by default when static or ETO terminal is the source of entry: /BROADCAST /CANCEL /DIAGNOSE /END /EXCLUSIVE /EXIT /FORMAT /HOLD /IAM /LOCK /LOG /LOOPTEST /RCLDST /RCOMPT /RDISPLAY /RELEASE /RESET /RMLIST /SET /SIGN /TEST /UNLOCK 8 o m w w w w 9 .c O W ! w .d o w o .d o c u-tr a c k c u-tr a c k .

d o w o .c O W ! w .d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Security Facilities –IMS Default Security Commands allowed by default when OTMA is the source of command entry: /LOCK /LOG /RDISPLAY 9 10 o m w w w w .

d o c u-tr a c k c u-tr a c k .2 is the source of command entry: /BROADCAST /LOCK /LOG /RDISPLAY /RMLIST 10 11 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .d o w o .c Security Facilities –IMS Default Security Commands allowed by default when LU6.

c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .IMS Default Security EXAMPLE RCF=A APPCSE=N RDEF CIMS DIS UACC(READ) Result: /DIS from 3270-type terminals is accepted /DIS from LU6.2 over APPC is a security violation 11 12 o m w w w w .d o c u-tr a c k c u-tr a c k .c Security Facilities .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .d o w o .d o c u-tr a c k c u-tr a c k .c Security Facilities –PSB § IMS default security § Exits Program Specification Block (PSB) § Encryption § VSAM password protection § Application-based security § Physical security § RACF (or other SAF product) 12 13 o m w w w w .

g. 13 § § 14 o m w w w w .c Security Facilities –PSB § PSB (Program Specification Block) provides database security – Data sensitivity (SENSEG. SENFLD) describes application view of database – Processing options (PROCOPT) define what application can do (e.d o w o . read or update) PSB should be coded to facilitate security requirements – Define only the segments and fields needed – Use only the processing option needed PSB is a trusted resource – IMS makes no security calls for hard coded resources in a PSB – A user authorized to submit a transaction using the PSB is also authorized to submit a transaction to a destination hard coded in the alternate PCB.d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .

c O W ! w .d o c u-tr a c k c u-tr a c k .d o w o .Encryption § IMS default security § Exits § Program Specification Block (PSB) Encryption § VSAM password protection § Application-based security § Physical security § RACF (or other SAF product) 14 15 o m w w w w .c Security Facilities .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

is the software interface to the crypto hardware § Segment Edit/Compression Exit Routine (DFSCMPX0) – can invoke user supplied encryption routine – can call ICSF or other product – can invoke IBM Data Encryption for IMS and DB2 Databases tool (5655-P03) – can be different for each segment 15 16 o m w w w w .c O W ! w .d o w o . a component of z/OS Cryptographic Services.c Security Facilities –Encryption Database encryption may be performed by § zSeries and S/390 Crypto Hardware features § z/OS Cryptographic Services Integrated Cryptographic Service Facility (ICSF).d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

Encryption
Data Encryption for DB2 and IMS Databases tool:
§ requires the IBM optional Crypto Express2 (CEX2) hardware feature § requires ICSF, the software interface to the crypto hardware § requires the standard CP Assist for Crypto Function (CPACF) be enabled and active if the clear key exit is used § is recommended over roll your own solutions as extensive testing has been done to ensure the product works with all the product interfaces § requires no changes to applications, just a change to DBD to define the exit routine
16

17

o

m

w
w

w
w

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

Security Facilities –Encryption
Sample PAYROLL Database
NAME ADDRESS PAYROLL

SEGM … ,COMPRTN=(routinename,DATA,INIT,MAX)

17

18

o

m

w
w

w
w

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

Security Facilities –Encryption
Sample DBD For Payroll Database
DBD NAME=PAYROLDB,ACCESS=HISAM DATASET DD1=PAYROLL,OVFLW=PAYROLOV, SEGM FIELD FIELD FIELD NAME=NAME,BYTES=150,FREQ=1000,PARENT=0 NAME=(EMPLOYEE,SEQ,U),BYTES=60,START=1,TYPE=C NAME=MANNBR,BYTES=15,START=61,TYPE=C NAME=ADDR,BYTES=75,START=76,TYPE=C

SEGM NAME=ADDRESS,BYTES=200,FREQ=2,PARENT=NAME FIELD NAME=HOMEADDR,BYTES=100,START=1,TYPE=C FIELD NAME=COMAILOC,BYTES=100,START=101,TYPE=C SEGM NAME=PAYROLL,BYTES=100,FREQ=1,PARENT=NAME,COMPRTN=(DFSCMPX0,DATA,INIT,MAX) FIELD NAME=HOURS,BYTES=15,START=51,TYPE=P FIELD NAME=BASICPAY,BYTES=15,START=1,TYPE=P DBDGEN FINISH END
18

19

o

m

w
w

w
w

c O W ! w .d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .c Security Facilities –VSAM Password Protection § IMS default security § Exits § Program Specification Block (PSB) § Encryption VSAM password protection § Application-based security § Physical security § RACF (or other SAF product) 19 20 o m w w w w .

c O W ! w .VSAM Password Protection VSAM password protection for IMS databases in batch environments § prevents accidental access of IMS databases by non-IMS programs § used in conjunction with VSAM CONTROLPW specification on VSAM DEFINE statements § specify PASSWD=YES/NO on DBD § ignored in IMS Online (DB/DC) environment 20 21 o m w w w w .c Security Facilities .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .

causes operator to be prompted for password each time data set opened 21 22 o m w w w w .VSAM Password Protection PASSWD=NO on DBD statement § is the default § specifies that the DBDNAME for this DBD should not be used as the VSAM password § in IMS Batch.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .d o w o .c O W ! w .c Security Facilities .

c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .VSAM Password Protection PASSWD=YES on DBD statement § DL/I open uses DBDNAME as the VSAM password for each dataset § all datasets for the DBD must use same password § CONTROLPW or MASTERPW password on VSAM DEFINE must be the same as DBDNAME for the DBD § invalid for ACCESS=LOGICAL.d o c u-tr a c k c u-tr a c k .c Security Facilities . DEDB 22 23 o m w w w w .d o w o . MSDB.

c O W ! w .d o c u-tr a c k c u-tr a c k .c Security Facilities –Application-based security § IMS default security § Exits § Program Specification Block (PSB) § Encryption § VSAM password protection Application-based security – Physical security – RACF (or other SAF product) 23 24 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .

d o w o .c Security Facilities .d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .Application-based security § Application program can perform its own security checks § Security rules could be stored in – Internal table in program – Database – RACF Application program can access RACF info with DL/I AUTH call • Database • Field • Segment • Other § Application program grants or denies resource access based on USERID of the user who entered the transaction 24 25 o m w w w w .

c Security Facilities –Physical Security § IMS default security § Exits § Program Specification Block (PSB) § Encryption § VSAM password protection § Application-based security Physical security § RACF (or other SAF product) 25 26 o m w w w w .c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .d o w o .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .c Security Facilities –Physical Security 26 27 o m w w w w .d o w o .c O W ! w .

c O W ! w .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .RACF § IMS default security § Exits § Program Specification Block (PSB) § Encryption § VSAM password protection § Application-based security § Physical security RACF (or other SAF product) 27 28 o m w w w w .c Security Facilities .

d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . CIMS.c Setting Up RACF § Create Resource Class descriptions in Class Descriptor Table (CDT) e.g.d o w o .c O W ! w . TIMS. or installation defined § Make sure IMS Resource Classes are activated in RACF § Populate the RACF database – Create group & user profiles • Define groups • Define users • Connect users to groups – Create resource profiles Define a profile in the appropriate class for each resource to be secured – Create access lists Permit groups | users to access resource 28 29 o m w w w w .

DIMS: one profile protects several commands 29 30 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c RACF Resource Class § Collection of profiles with similar characteristics § Defined in Class Descriptor Table (CDT) – Can be defined dynamically – Maximum 1024 § Two types of resource classes – Member class example.d o c u-tr a c k c u-tr a c k .d o w o .c O W ! w . CIMS: one profile protects one command – Grouping class example.

c RACF Resource Class Example of some resource classes delivered with RACF: TIMS CIMS IIMS LIMS 30 31 o m w w w w .d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .c O W ! w .

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

RACF Resource Class
RACF default resource classes used exclusively by IMS (RCLASS=IMS)
CIMS | DIMS TIMS | GIMS IIMS | JIMS LIMS | MIMS AIMS RIMS FIMS | HIMS SIMS | UIMS IIMS | WIMS PIMS | QIMS Commands (first 3 characters of command) Transactions (trancode) Program Specification Blocks (PSBs) Logical terminals (LTERM) APSB (Allocate PSB) for CPIC-PSB and ODBA asynch hold queues for RESUME TPIPE call Database fields (for AUTH calls) Database segments (for AUTH calls) Other (information in RACF for AUTH calls) Databases (for AUTH call)
31

32

o

m

w
w

w
w

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

RACF Resource Class
RACF resource classes not exclusive to IMS
TERMINAL | GTERMINL APPL VTAMAPPL APPCPORT APPCLU APPCTP DATASET FACILITY OPERCMDS STARTED
32

33

o

m

w
w

w
w

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

RACF Resource Class
Example of some installation-defined resource classes when RCLASS=IMSTEST: TIMSTEST CIMSTEST IIMSTEST LIMSTEST

33

34

o

m

w
w

w
w

c O W ! w .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c RACF Resource Class § RCLASS specification in IMS = 1-7 alphanumerics – define on SECURITY macro – override in DFSDCxxx – default = IMS Different RCLASS can be used to define different RACF rules for different IMS systems sharing one RACF database – example 1: RCLASS=IMSTEST – example 2: RCLASS=imsid Define each new resource class in Class Descriptor Table (CDT) Activate resource classes in RACF SETR CLASSACT(classname) 34 § § § 35 o m w w w w .d o c u-tr a c k c u-tr a c k .

c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k . RACF warns entries are being ignored – CDT processes a paired member and grouping class together. then dynamic class descriptors – dynamic entry will replace static of the same name – if merge reaches 1024. § Updating the RACF Router Table for new resource classes not required § Supplied CDT entries are documented in Appendix C of the z/OS Security Server RACF Macros and Interfaces 35 36 o m w w w w .c RACF Resource Class § Class Descriptor Table (CDT) – entries can be defined statically (IPL) or dynamically (no IPL) – maximum 1024 entries • 256 defined by IBM • 768 can be installation-defined – loaded at IPL by merging static.d o w o .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o ...d o c u-tr a c k c u-tr a c k . § Resource profile Defines security requirements for a resource – Defines Universal Access – Defines authorized users/groups (access list) 36 37 o m w w w w . group authority. password. .c Populate the RACF Database Consists of profiles § Group profile Defines group name. . § User profile Defines individual user ID. subgroup.. user attributes.. connect groups.c O W ! w .

37 38 o m w w w w . ADDGROUP DBAGRP… .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k . CONNECT IMSUS99 GROUP(DBAGRP) … .d o w o . ADDUSER IMSUS99 NAME(BILL) PASSWORD(IMSPW99) DFLTGRP(IMSGRP4) … CONNECT IMSUS99 GROUP(IMSGRP4) … .c RACF GROUP and USER Profiles Example of defining group and user profiles (Not all required parameters shown here) ADDGROUP IMSGRP4 … .c O W ! w .

c O W ! w .d o c u-tr a c k c u-tr a c k . IMS RECON or RESLIB – Access to IMS resources as the default user ID User IDs can be created using RACF STARTED class 38 § § 39 o m w w w w .d o w o .c RACF GROUP and USER Profiles § When IMS resources are protected by RACF – IMS needs a user ID – DLI/SAS needs a user ID – Dependent region may need a user ID The user IDs are needed for – Access to system resources and data sets For example. System dump data set – Access to IMS protected data sets For example.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o . RACF uses the most specific 39 § 40 o m w w w w .c RACF Resource Profiles § Discrete profile – protects a singular resource – fully qualified profile name § Generic profile – protects one or more resources of the same type – profile contains generic (wildcard) characters – SETR GENERIC(classname) to enable generics Fully-qualified generic profile – used only by the DATASET resource class – used to retain profile when dataset deleted if multiple profiles exist for a resource.c O W ! w .d o c u-tr a c k c u-tr a c k .

Naming Considerations for Resource Profiles.d o w o . 40 41 o m w w w w .DBR) § z/OS Security Server RACF Command Language Reference Appendix A.c RACF Resource Profiles Define a RACF resource profile RDEFINE | RDEF class-name profile-name UACC(access-authority) § class-name is the RACF resource class § profile-name is the IMS resource name § UACC is the universal access authority Examples: RDEFINE TIMS IMSTRANA UACC(READ) RDEFINE TIMS IMSTRAN* UACC(NONE) RDEFINE CIMS DIS UACC(READ) RDEFINE DIMS DBACMDS UACC(NONE) ADDMEM(STO.d o c u-tr a c k c u-tr a c k .STA.c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

d o w o .STA.d o c u-tr a c k c u-tr a c k .c RACF Resource Profiles RDEFINE CIMS DIS UACC(READ) RDEFINE DIMS DBACMDS ADDMEM(STO.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .DIS) UACC(NONE) 41 42 o m w w w w .c O W ! w .

imsplexname or XCF grp (Client bid) FACILITY IMSXCF.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .membername dataset name 42 43 o m w w w w .d o w o .structure_name IXLSTR.command_verb.command_keyword Transaction Command (type 1) PSB LTERM DBRC command OM command CF structures IMS Control Region IMSPlex (CSL) Dataset CQSSTR.c O W ! w .c RACF Resource Profiles IMS resource RACF class name TIMS / GIMS CIMS / DIMS IIMS / JIMS LIMS / MIMS FACILITY OPERCMDS FACILITY APPL FACILITY DATASET RACF member class profile name transaction name first 3 characters of command psb name lterm name safhlq.qualifier.plxname.structure_name imsid CSL.modifier IMS.groupname.d o c u-tr a c k c u-tr a c k .command_verb.

c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k . READ.c RACF Resource Profiles Universal Access Authority (UACC) § Can be any one of the following NONE.d o w o . ALTER § READ is required for most IMS resources § UPDATE is required for – Some Type 2 commands – CQS access to CF structures (SMQ and RM) – Registering with SCI to join an IMSplex § CONTROL is required for – VSAM datasets open for update – IMSV10 gives option to open RECON for READ 43 44 o m w w w w . UPDATE. EXECUTE. CONTROL.

)) 44 45 o m w w w w ..c RACF Access Lists Add an access list to a resource profile PERMIT | PE profile-name CLASS(class-name) ID(userid(s) and/or group-name(s)) ACCESS(access-authority) Examples: PERMIT IMSTRAN* CLASS(TIMS) ID(GROUPA JOE) ACCESS(READ) PERMIT STO CLASS(CIMS) ID(NANCY DBAGRP) ACCESS(READ) WHEN(TERMINAL(terminal-id .d o c u-tr a c k c u-tr a c k .c O W ! w .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N ..

d o w o .c O W ! w .d o c u-tr a c k c u-tr a c k .c RACF Access Lists § User or Group Access Authority (ACCESS) can be: – NONE – READ – EXECUTE – UPDATE – CONTROL (for VSAM) – ALTER § Maximum entries in the access list of a profile is 5957 – access list of each profile is limited to 65535 bytes – each user or group in the access list uses 11 bytes 45 46 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .c O W ! w .c RACF Access Lists § Associated with resource profiles § Define access authorities of GROUPs and USERs Resource DIS Resource Class CIMS Group or Userid GROUPY STILWELL CM431GP Access Level READ NONE READ Profile Owner IMSADMIN UACC NONE 46 47 o m w w w w .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Making RACF Security Changes Online § To update RACF security definition – update the RACF database – refresh the RACF data space from the database by issuing SETROPTS RACLIST(classname) REFRESH § RACF refreshes all classes with the same CDT POSIT value as classname § specify the member classname not the grouping classname for example. specify CIMS not DIMS § REFRESH must be entered on all members of a SYSPLEX unless RACF is configured for SYSPLEX communication 47 48 o m w w w w .d o w o .d o c u-tr a c k c u-tr a c k .c O W ! w .

ACEE=addr… .. TERMINAL. – IMS passes USERID. Group and User profiles are not eligible for data space – RACF builds ACEE for IMS user ID § When a user signs on to IMS – IMS calls RACF for sign on verification RACROUTE REQUEST=VERIFY.d o w o .d o c u-tr a c k c u-tr a c k . APPL – RACF builds ACEE – RACF returns ACEE address and return code to IMS z/OS Security Server RACF RACROUTE Macro Reference 48 49 o m w w w w .GLOBAL=YES – DATASET.ENVIR=CREATE.TERMID.GROUP.c O W ! w .PASSWRD.c How IMS Talks to SAF § When IMS initializes – IMS calls RACF to load IMS resource profiles into a data space (RACLIST) RACROUTE REQUEST=LIST. password.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .APPL – RACF verifies user ID.

c O W ! w .ATTR=READ – RACF sends return code to IMS • 0 user is authorized • 4 resource has no profile • 8 user is not authorized – IMS grants access if 0 or 4 – If return code 8.CLASS.ENTITY=DIS.ENTITY.d o c u-tr a c k c u-tr a c k . IMS calls RACF for audit logging RACROUTE REQUEST=AUTH with parameters similar to FASTAUTH – RACF checks authorization and logs violation messages 49 50 o m w w w w .CLASS=CIMS.c How IMS Talks to SAF § When a user accesses a resource – IMS calls RACF to check authorization RACROUTE REQUEST=FASTAUTH IMS passes ACEE.d o w o .ATTR Example: RACROUTE REQUEST=FASTAUTH. ACEE=addr.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

– RACF deletes the ACEE for IMS user ID – GLOBAL=YES data spaces are not deleted 50 51 o m w w w w .ACEE=addr… ..c O W ! w .c How IMS Talks to SAF § When a user signs off – IMS calls RACF to delete the user’ s ACEE RACROUTE REQUEST=VERIFY.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .ACEE=addr… – RACF deletes user’ s ACEE § When IMS terminates – IMS calls RACF to deregister interest in the resource classes RACROUTE REQUEST=VERIFY.d o w o .ENVIR=DELETE.ENVIR=DELETE.d o c u-tr a c k c u-tr a c k .

d o c u-tr a c k c u-tr a c k .d o w o .c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c How IMS Talks to SAF Accessor Environment Element (ACEE) § Constructed by RACF when user signs on § Deleted when user signs off § Contains a description of the user’ s security environment – User ID – Current connect group – User attributes – Group authorities ACEE documented in z/OS IBM Security Server RACF Data Areas 51 52 o m w w w w .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .d o w o .c O W ! w .c Summary of RACF Commands § Adding profiles: – ADDUSER add user profile (AU) – ADDGRP add group profile (AG) – ADDSD add dataset profile (AD) – CONNECT to associate USER with GROUP – RDEFINE define profile for general resource class (RDEF) – RALTER to make changes to profile § Creating access lists to allow access to resources – PERMIT define resource access list (PE) § Set RACF options: SETROPTS (SETR) – CLASSACT –activate the resource class – RACLIST –populate the dataspace – GENERIC –allow generic resource checking – REFRESH –refresh the dataspace 52 53 o m w w w w .

d o w o .c RACF in WARNING Mode for Migration To ease migration § you can specify WARNING in the resource profile definition (RDEF) § in WARNING mode you can audit access attempts: – RACF records each access attempt – if user not authorized. RACF also sends warning message to the user 53 54 o m w w w w .c O W ! w .d o c u-tr a c k c u-tr a c k . RACF allows access and sends ICH408I – if notify user is specified in resource profile.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

Exits § IMS default security Exits § Program Specification Block (PSB) § Encryption § VSAM password protection § Application-based security § Physical security § RACF (or other SAF product) 54 55 o m w w w w .d o w o .c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Security Facilities .d o c u-tr a c k c u-tr a c k .

d o c u-tr a c k c u-tr a c k .c O W ! w .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Security Facilities –Exits § Sign on/off verification – DFSCSGN0 – DFSSGNX0 – DFSSGFX0 Transaction authorization – DFSCTRN0 – DFSCTSE0 (reverify) – DFSBSEX0 (build security env) § Command authorization – DFSCCMD0 – DSPDCAX0 (DBRC) – OM user exits RAS (dependent region/thread) – DFSRAS00 Other – OTMA exits – DFSTCNT0 (TCO) – DFSCMPX0 (encryption) – DFSFLGE0 (log edit) – KBLA scrub 55 § § § IMS V10 Exit Routine Reference 56 o m w w w w .

d o c u-tr a c k c u-tr a c k .c O W ! w . APPCSE).PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . or user has signed off. § When DFSCCMD0 cannot be explicitly requested (e.c Security Facilities –Exits § DFSCTRN0 is generally not invoked unless RACF return code is 0 or 4 § DFSCTSE0 (reverification entry point of DFSCTRN0) is always invoked for CHNG. allows you to control if and when a security environment is dynamically built in cases where it does not exist (“ back end”IMS. AUTH calls no matter what the RACF return code is. for example) § Exits can be used to do more granular checking than RACF may offer 56 57 o m w w w w .g.d o w o . it is invoked if it exists no matter what the RACF return code is § DFSBSEX0 was offered to improve performance.

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .c O W ! w .c How to Specify the Security Facility You Want 57 58 o m w w w w .d o c u-tr a c k c u-tr a c k .

c Tell IMS What Security To Use § IMSGEN macros – (COMM) – (IMSGEN) – SECURITY – LINE – TERMINAL – TRANSACT – TYPE Override IMSGEN macros with – IMS execution parameters in JCL or PROCLIB Override JCL or PROCLIB with – IMS commands • /NRE and /ERE • /SECURE • /SET § § 58 59 o m w w w w .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .c O W ! w .

c O W ! w .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Security Macro IMS V9 IMS V9 SECURITY macro specifies security options for IMS resources – SMU security options – Other non-SMU security options. such as RACF and/or exit routine options SECURITY PASSWD= TERMNL= NO NO YES YES YES 1 FORCE FORCE FORCE 2 3 TRANCMD= NO SECCNT= 0 RCLASS= SECLVL= TYPE= 59 60 o m w w w w .d o c u-tr a c k c u-tr a c k .

d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Security Macro IMS V10 IMS V10 SECURITY macro specifies RACF and/or EXIT security options SECURITY TRANCMD= NO SECCNT= 0 YES 1 FORCE 2 3 RCLASS= SECLVL= TYPE= 60 61 o m w w w w .d o w o .c O W ! w .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .d o w o .c O W ! w .c Security Macro § SECLVL= transaction authorization / signon verification § TYPE= RACF and/or EXITS choose one from each column NORAS RASRACF RASEXIT RAS NORACTRM RACFTERM NOTRANEX TRANEXIT NOSIGNEX SIGNEXIT NORACFCM RACFCOM 61 62 o m w w w w .

c O W ! w .d o w o .c IMS DB/DC Security Options DFSPBxxx These override SECURITY macro TRN = SGN = ISIS = RCF = AOI1 = Transaction authorization option Sign on authorization option Resource Access security RACF security option(s) TRANCMD security option (TYPE 1 AOI) 62 63 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .

c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .c Sign On Verification (SGN) DFSPBxxx SGN= overrides and augments SECURITY macro SECLVL § N specifies that the signon verification function is not in effect § Y specifies that the signon verification function is to be activated § F same as Y except the MTO cannot negate the activation of the signon verification function.d o c u-tr a c k c u-tr a c k . § M single userid can sign on to multiple terminals (does not activate signon verification) § Z=Y+M § G =F+M 63 64 o m w w w w .

c Transaction Authorization (TRN) DFSPBxxx TRN= overrides SECURITY macro SECLVL § N Transaction authorization is inactive for this execution of IMS.c O W ! w .d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . Can be activated on /NRE or /ERE COLDSYS § Y Transaction authorization is active for this execution of IMS Can be deactivated on /NRE or /ERE COLDSYS § F Same as Y Cannot be deactivated on /NRE or /ERE COLDSYS 64 65 o m w w w w .d o w o .

d o c u-tr a c k c u-tr a c k . transaction authorization and command authorization for commands entered from ETO devices § A call RACF for sign on verification.c O W ! w .d o w o . transaction or command authorization for input from static or ETO terminals § C call RACF to authorize commands entered from ETO terminals § S call RACF to authorize commands entered from both static and ETO terminals § T call RACF for signon verification and transaction authorization § Y call RACF for sign on verification. transaction authorization and command authorization for commands entered from both static and ETO devices 65 66 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c RACF Authorization (RCF) DFSPBxxx RCF= overrides and augments SECURITY macro TYPE § N do not call RACF for signon verification.

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .d o c u-tr a c k c u-tr a c k .c O W ! w .c More IMS DB/DC Security Options DFSPBxxx These have no equivalent on SECURITY macro AOIS = CMDMCS = ODBASE = APPCSE = OTMASE = TCORACF = RVFY = RCFTCB = ALOT = ASOT = ICMD security option (TYPE 2 AOI) MCS/E-MCS command option ODBA security option APPC security option OTMA security option TCO RACF command authorization security option RACF reverify option Number of RACF TCBs automatic logoff for ETO automatic signoff for ETO 66 67 o m w w w w .

c O W ! w .d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c IMS DC Security Options DFSDCxxx – These override SECURITY macro • RCLASS 1-7 char suffix for RACF IMS resource classes – These have no equivalent on SECURITY macro • BMPUSID • MSCSEC • LOCKSEC • SIGNON • SAPPLID 67 68 o m w w w w .d o w o .

c Operations Manager Security Options § CSLOIxx (Operations Manager PROCLIB) CMDSEC = security option for all commands routed through Operations Manager (OM) § DFSCGxxx (IMS PROCLIB) CMDSEC = security option for Type 1 commands routed through Operations Manager (OM) 68 69 o m w w w w .c O W ! w .d o c u-tr a c k c u-tr a c k .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

X'51'. X'52' and X'5950' database change records 69 70 o m w w w w .d o c u-tr a c k c u-tr a c k .d o w o .c IMS Security-related Log Records § Type X'10' –Security violation has occurred § Type X'16' –Written at /SIGN ON and /SIGN OFF –Contains •Physical terminal identifier •Userid •IMS time stamp § Contain userid for signed on user –Types X'01' and x'5901' input message –Types X'03' and x'5903' output message –Types X'50'.c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

d o w o .d o c u-tr a c k c u-tr a c k .c O W ! w .c Putting It All Together 70 71 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

d o c u-tr a c k c u-tr a c k .c O W ! w ..c Factors Affecting Security The security in force is determined by ..PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o . § IMS system definition § IMS JCL overrides § IMS PROCLIB overrides – DFSPBxxx – DFSDCxxx – CSLOIxxx – DFSCGxxx § IMS commands and restart options – Example: /SECURE APPC FULL – Example: /NRE TRANAUTH § Whether IMS was warm started or cold started § Source of the input message § RACF definitions § Exits 71 72 o m w w w w .

DL/I.d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Protecting IMS Resources § IMS application (CTL. etc) § Transactions § Commands § Terminals § PSBs § Datasets § Databases (records. fields.c O W ! w . segments) § Dependent regions and connection threads § Coupling Facility structures § IMSPlex 72 73 o m w w w w .d o w o .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .d o c u-tr a c k c u-tr a c k .c O W ! w .c Protecting IMS Resources SOME EXAMPLES USING RACF 73 74 o m w w w w .

GROUP2) ACCESS(READ) PERMIT IMST CLASS(APPL) ID(GROUPA.d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .d o c u-tr a c k c u-tr a c k .c Protecting the IMS Control Region Example: SETROPTS CLASSACT(APPL) RDEFINE APPL (IMSP.GROUPB) ACCESS(READ) PERMIT IMSP CLASS(APPL) ID(BILL) ACCESS(READ) WHEN(TERMINAL(NODE1.NODE2)) If RAS security is activated (ISIS=R): PERMIT IMSP CLASS(APPL) ID(IMSMPR1.IMST) UACC(NONE) PERMIT IMSP CLASS(APPL) ID(GROUP1.IMSBMP1) ACCESS(READ) SETR RACLIST(APPL) REFRESH 74 75 o m w w w w .

* UACC(NONE) PERMIT PROD.RECOV.RECOV.d o c u-tr a c k c u-tr a c k .c O W ! w .GENJCL.RECON CMDAUTH(SAF.GENJCL.GENJCL.c Protecting DBRC Commands Example: CHANGE.d o w o .AAA CLASS(FACILITY) ID(JOE) ACCESS(READ) RDEFINE FACILITY PROD.RECOV.AAA UACC(NONE) PERMIT PROD.* CLASS(FACILITY) ID(BILL) ACCESS(READ) Complete list of resource names can be found in IMS V10 System Administration Guide Table 28 IMS V9 DBRC Guide and Reference Appendix C 75 76 o m w w w w .PROD) RDEFINE FACILITY PROD.RECOV.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .GENJCL.

QRY.* CLASS(OPERCMDS) ID(KENNY) ACCESS(READ) Complete list of resource names can be found in IMS V10 IMSPLEX Administration Guide Table 8 IMS V9 Command Reference Appendix I Resource Names Table 76 77 o m w w w w .UPD.*.CSLPLX0.CSLPLX0.CSLPLX1.DB UACC(NONE) PERMIT IMS.*.d o c u-tr a c k c u-tr a c k .TRAN CLASS(OPERCMDS) ID(LONNIE) ACCESS(UPDATE) RDEFINE OPERCMDS IMS.* UACC(NONE) PERMIT IMS.QRY.STO.DB CLASS(OPERCMDS) ID(ALAN) ACCESS(UPDATE) RDEFINE OPERCMDS IMS.d o w o .STO.c O W ! w .CSLPLX0.TRAN UACC(NONE) PERMIT IMS.c Protecting OM Commands CMDSEC=R RDEFINE OPERCMDS IMS.CSLPLX0.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .TRAN UACC(NONE) RDEFINE OPERCMDS IMS.UPD.UPD.

IMSP_MSGQ1 UACC(NONE) PERMIT IXLSTR.IMSP_MSGQ1 CLASS(FACILITY) ID(IMSP) ACCESS(UPDATE) RDEFINE FACILITY IXLSTR.IMSP_IMSIRLM UACC(NONE) PERMIT IXLSTR.c Protecting CF Structures RDEF FACILITY CQSSTR.IMSP_MSGQ1 UACC(NONE) PE CQSSTR.c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .IMSP_MSGQ1 CLASS(FACILITY) ID(IMSP) ACCESS(UPDATE) RDEFINE FACILITY IXLSTR.IMSP_IMSIRLM CLASS(FACILITY) ID(IRLMP) ACCESS(UPDATE) SETROPTS CLASSACT(FACILITY) SETROPTS RACLIST(FACILITY) REFRESH 77 78 o m w w w w .d o w o .

ADDUSER OM1USER ...c Protecting IMSPlex ADDGROUP PLX0GRP . RDEF .d o w o ..... (other address spaces needing access to SCI) RDEF STARTED OM1 STDATA(USER(OM1USER) GROUP(PLX0GRP) .d o c u-tr a c k c u-tr a c k . RDEF STARTED RM1 STDATA(USER(RM1USER) GROUP(PLX0GRP) . (for each started task) RDEFINE FACILITY CSL....PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N ....CSLPLX0 UACC(NONE) PERMIT CSL.c O W ! w . DFLTGRP(PLX0GRP) ADDUSER IMS1USER . DFLTGRP(PLX0GRP) ADDUSER CQS1USER .... DFLTGRP(PLX0GRP) ADDUSER ....CSLPLX0 CLASS(FACILITY) ID(PLX0GRP) ACCESS(UPDATE) SETROPTS CLASSACT(FACILITY) SETROPTS RACLIST(FACILITY)REFRESH 78 79 o m w w w w . DFLTGRP(PLX0GRP) ADDUSER RM1USER .

d o w o .TESTGRP) ACCESS(READ) § PERMIT ’ IMSPROD.HENRY) ACCESS(UPDATE) 79 80 o m w w w w .MARY.RESLIB’ .ACBLIB’ ) UACC(NONE) AUDIT(ALL) OWNER(IMSADMIN) § PERMIT ’ IMSPROD.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .’ IMSPROD.RESLIB’ ID(IMSP.PROCLIB’ .RESLIB’ ID(SYSPROG.c Protecting IMS Data Sets § ADDSD (’ IMSPROD.’ IMSPROD.c O W ! w .d o c u-tr a c k c u-tr a c k .

c O W ! w .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .c Click to edit Master title style PART 2: SMU CONVERSION 80 81 o m w w w w .

d o w o .d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c SMU Migration 81 82 o m w w w w .c O W ! w .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .MATRIXx data sets § Primary consideration –If migration from SMU to SAF/RACF has not already been done. migration to IMS V10 will also need to include migration from SMU to SAF/RACF SMU to RACF Security Page 82 83 o m w w w w .c IBM Software Group IMS V10 SMU Support Removed § IMS V10 removes SMU and SMU components –The Security Maintenance Utility –Application Group Name Exit Routine (DFSISIS0) –IMS.c O W ! w .d o w o .d o c u-tr a c k c u-tr a c k .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . ISIS. etc – Ignored if request SMU – Some parameters are no longer documented.g. SECURITY macros § Utilities – SMU Utility no longer supported – Online Change Utility ignores MATRIX dataset DD cards § Execution parameters e. AGN.c IBM Software Group IMS V10 SMU Removal § Any SMU parameters in System Generation macros will be ignored – COMM. MSCSEC.g. AOI1. IMSGEN.d o c u-tr a c k c u-tr a c k . /CHANGE PASSWORD SMU to RACF Security Page 83 84 o m w w w w . SGN.c O W ! w . but are ignored when specified – Defaults changed where previous default was SMU § Commands that “ require”SMU are rejected – e.d o w o .

c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .CIMS class (or groups of commands in DIMS class) SMU to RACF Security Page 84 85 o m w w w w .c IBM Software Group SMU Compared with RACF Security (Before IMS V10) § The basic command and transaction security is available with either SMU or RACF – SMU authorizes the LTERM to use a transaction/command – RACF authorizes the USERID to use a transaction/command § SMU keeps its security definitions in a matrix – Who can do what – What can be done by whom § RACF keeps security definitions in user profiles which describe allowed access to defined resources – Resources defined in RACF Resource Classes –for example: •Transactions –TIMS class (or groups of transactions in GIMS class) •Commands .d o w o .d o c u-tr a c k c u-tr a c k .

IMS ID Transaction Security – User v.c IBM Software Group RACF Security Before IMS Version 9 Most IMS security could be implemented with RACF § Sign-On user validation and verification – Check user is known – Check password is correct Terminal Security – User v. IMS Command in Control Region – User v.For ODBA and CPI-C – User v. CSL address spaces.d o c u-tr a c k c u-tr a c k . PSBname Connection Access Control – IMS Connect. Segment – User v. physical terminal IMS System Access Security – User v. Trancode Command Security – User v. IMS Command in Operations Manager § § AOI Type2 ICMD Call Security – User v. etc Page 85 § § § § § § § SMU to RACF Security 86 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . CQS. Field PSB Access Security .c O W ! w . DB Record – User v. IMS Command IMS Data Set Access Security – Controls access to DBs and system datasets DB Data Access Security –used with DL/1 AUTH call – User v.d o w o .

2. Application Group Name (AGN) security Type 1 Automated Operator Interface (AOI) Terminal security for Time-Controlled Operations (TCO) MSC link-receive security for non-directed routing /LOCK. 6.c O W ! w .d o w o . /UNLOCK and /SET commands with passwords Static terminal Signon IMS V9 Last release to support SMU SMU to RACF Security Page 86 87 o m w w w w .d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . 5.c IBM Software Group Security Enhancements in IMS V9/V10 § Version 9 introduced enhancements to IMS and the RACF interface to support these remaining functions that required SMU in IMS V8: 1. 3. 4.

c IBM Software Group Resource Access Security (Replaces AGN Security) SMU to RACF Security Page 87 88 o m w w w w .c O W ! w .d o c u-tr a c k c u-tr a c k .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

c O W ! w .d o w o . TRANcode.c IBM Software Group Resource Access Security with SMU § Uses Application Group Name (AGN) security – IMS Version 9 was the last release to support AGN security § Objectives of AGN Security – Check at Program Scheduling Time that the resources involved (PSB.d o c u-tr a c k c u-tr a c k . LTERM) are authorized to be used by the Dependent Region § Predominantly used for BMPs. but actually applies for all dependent regions and connecting threads (DRA/CCTL/ODBA) SMU to RACF Security Page 88 89 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

LTERMnames 2.d o w o . RACF (optional –can alternatively use DFSISIS0 Exit) 4 Define AGN in AIMS resource class 4 Permit userids to use AGN 3.c O W ! w . AGN defined in SMU 4 A named group of 4 PSBs.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k . Dependent Region JCL must contain AGN=xxx execution parameter 4 Would also contain USERID SMU to RACF Security Page 89 90 o m w w w w .c IBM Software Group AGN Security Requirements § THREE Required Elements 1. Transaction Codes.

d o c u-tr a c k c u-tr a c k . in practice.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .c IBM Software Group AGN Security Checks § At Dependent Region Startup – AGN name (if specified in JCL) is authorized for use by Region’ s USERID •RACF or DFSISIS0 (Resource Access Security Exit) Mostly. AGN security is only used with BMPs § At Program Scheduling Time – Check (performed by SMU ) that required IMS resource(s) are in the AGN group for this region •MPP / JMP : check TRAN in AGN* •Message Driven BMP : check TRAN and PSB in AGN* •NMD-BMP / IFP / JBP : check PSB in AGN •NMD-BMP with OUT= : additionally check output LTERM / TRAN in AGN SMU to RACF Security Page 90 91 o m w w w w .d o w o .

PASSWORD=PW. USER=BMP1. CLASS=AIMS. ENTITY=AGN1 .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o . . RACF .. IDENTIFY/CONNECT .c O W ! w . BMP Example – Relies on “ AGN=” being coded in JCL DATA SPACE BMP1 Dependent Region 1B 2B RACF AGNX -MPP1 AGN2 -IFP1 1A Start up JCL IMSID=IMSA.SMU and AGN . .. AGN=AGN1.c IBM Software Group Resource Access Security (RAS) § The old way .d o c u-tr a c k c u-tr a c k .. IMSA RACF RACROUTE REQUEST=AUTH. SCHED PAYROLL SMU AGN AGN1 TABLE AGN2 PAYROLL PSB5 PAYTRAN LTERM2 LT1234A9 LT47AZ50 AGNX TRANX LTERM1 1C MPP1 IFP1 AGN1 -BMP1 Check BMP1 USER1 2A RACF AIMS profiles and access lists ACEEs IMSP1 SMU Check An alternative to the use of RACF is the use of the DFSISIS0 exit – renamed to “ AGN Security Exit”(one or the other is called. not both) SMU to RACF Security Page 91 92 o m w w w w ..

c O W ! w .c IBM Software Group Resource Access Security (RAS) with IMS V9/V10 § The new way in IMS V9/V10 – Provides direct RACF authorization checking at program scheduling time of Region Userid against IMS Resource (TRAN.d o w o . LTERM) – Uses RACF security classes for PSBs and LTERMs •IIMS: Program Specification Block (PSB) •JIMS: Grouping class for PSB •LIMS: Logical terminal (LTERM) •MIMS: Grouping class for LTERM •TIMS: Transaction (TRAN) •GIMS: Grouping class for Transactions PSBs in AIMS class are for ODBA and Explicit APPC use of APSB only (further details will follow) SMU to RACF Security Page 92 93 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . PSB.d o c u-tr a c k c u-tr a c k .

. TYPE= specification (or default) } ISIS =N | 0 turns off all security checking SMU to RACF Security Page 93 94 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N ...c O W ! w .d o c u-tr a c k c u-tr a c k . TYPE = RASRACF | RASEXIT | RAS | NORAS | | NOAGN | RACFAGN | AGNEXIT RASRACF = RAS security invokes RACF RASEXIT = RAS security invokes an IMS user exit (DFSRAS00) RAS = RAS security invokes RACF and user exit DFSRAS00 NORAS = No security (turns off both RAS and SMU) Ignored in V10 § New specifications during startup (DFSPBxxx exec parameter) – ISIS = N | R | C | A | 0 | 1 | 2 0/1/2 ignored in V10 N = No security (turns off both RAS and SMU) R = RAS security invokes RACF C = RAS security invokes an IMS user exit (DFSRAS00) A = RAS security invokes RACF and user exit DFSRAS00 defaults to SECURITY .c IBM Software Group Enabling Resource Access Security in IMS V9/V10 § New specifications in system definition – SECURITY ..d o w o .

d o w o . and DBCTL – DFSISIS0 remains available in an AGN environment for V9.c IBM Software Group Resource Access Security Checks § New user exit (DFSRAS00) is called after RACF (when both are used) – Provides authorization of IMS resources to IMS dependent regions in a RAS environment § RACF and/or DFSRAS00 make checks at every program schedule using Region’ s USERID – – – – – Authorize region against transaction (MPP. JBP) Authorize region against PSB and OUT=transaction (NMD BMP. JMP)* Authorize region against PSB (IFP. but AGN security and the new RAS security can not coexist in a single IMS system SMU to RACF Security Page 94 95 o m w w w w . JBP. NMD BMP.d o c u-tr a c k c u-tr a c k . JBP) * Also check region userid can use LTERM (if LTERM defined in LIMS class) § Available in DCCTL.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w . DRA|CCTL|ODBA) Authorize region against transaction and PSB (MD BMP)* Authorize region against PSB and OUT=LTERM (NMD BMP. DB/DC.

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w . RAS check will not be made – If APSB security is not performed. CICS can perform check of terminal user against PSB § RAS checking takes place at a program schedule – PSB defined in IIMS RACF class APSB security checking takes place for an “ APSB Call” – PSB defined in AIMS RACF class IMS will never use both checks for the same schedule! § ODBA APSB call – Exec parameter “ ODBASE=Y”means use APSB security – With ODBASE=N.d o c u-tr a c k c u-tr a c k . RAS (or AGN) security will apply if enabled § Explicit APPC (CPI-C) APSB call – If APSB security is performed (with caller’ s userid).c IBM Software Group Resource Access Security and APSB Security § When RAS is enabled – RAS check is made at every MPP/JMP program schedule using region’ s userid – RAS check is made at every BMP/IFP/JBP program schedule using region’ s userid – RAS check is made at every CICS/DBCTL program schedule using userid of CICS address space • Completely separately.d o w o . RAS check (if enabled) will be performed using region’ s userid SMU to RACF Security Page 95 96 o m w w w w .

c IBM Software Group RAS Migration Examples Example 1 .d o c u-tr a c k c u-tr a c k .BMP with OUT=lterm/tran OLD AGN definitions: )( AGN IMSDGRP AGPSB DEBS AGPSB APOL1 AGTRAN TRANA AGTRAN TRANB AGLTERM IMSUS02 AGLTERM T3270LD RACF definitions (userid to AGN group): ADDUSER BMPUSER1 PK35433 and PK38522 • Program DFSKAGN0 is provided to assist in the conversion of AGN SMU statements to RACF counterparts • Skeleton DFSKSMJA is provided as a sample JCL stream for invoking DFSKAGN0 RDEFINE AIMS IMSDGRP OWNER(IMSADMIN) UACC(NONE) PERMIT IMSDGRP CLASS(AIMS) ID(BMPUSER1) ACCESS(READ) SETROPTS CLASSACT(AIMS) NEW RACF definitions: ADDUSER BMPUSER1 RDEFINE JIMS RASPGRP ADDMEM(DEBS.d o w o .APOL1) UACC(NONE) PERMIT RASPGRP CLASS(JIMS) ID(BMPUSER1) ACCESS(READ) RDEFINE GIMS RASTGRP ADDMEM(TRANA.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .TRANB) UACC(NONE) PERMIT RASTGRP CLASS(GIMS) ID(BMPUSER1) ACCESS(READ) RDEFINE MIMS RASLGRP ADDMEM(IMSUS02.T3270LD) UACC(NONE) PERMIT RASLGRP CLASS(MIMS) ID(BMPUSER1) ACCESS(READ) SMU to RACF Security Page 96 97 o m w w w w .

AGN name with access to all entities of a particular resource type OLD AGN definitions: )( AGN ALLGRP AGPSB ALL AGTRAN ALL In RACF.d o w o . Example 2 . generic resource definitions can be used NEW RACF definitions: ADDUSER DRAINBMP RDEFINE JIMS ** UACC(NONE) PERMIT ** CLASS(JIMS) ID(DRAINBMP) ACCESS(READ) RDEFINE TIMS ** UACC(NONE) PERMIT ** CLASS(TIMS) ID(DRAINBMP) ACCESS(READ) SMU to RACF Security Page 97 98 o m w w w w .c IBM Software Group RAS Migration Examples .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k ...c O W ! w .

§ Permit region ids to access appropriate resources § Change SECURITY macro to specify RAS and/or § Change ISIS= parameter in DFSPBxxx to specify RAS § If needed. add ODBASE=Y to DFSPBxxx § Restart IMS § When safe.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . IFPs.c IBM Software Group Migrating Off SMU with V9 § Define all AGN resources to RACF in the appropriate classes § Define all region ids as RACF users – BMPs.c O W ! w . remove SMU definitions SMU to RACF Security Page 98 99 o m w w w w . etc. MPPs.d o c u-tr a c k c u-tr a c k .d o w o .

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

IBM Software Group

AOI Security

SMU to RACF Security

Page 99

100

o

m

w
w

w
w

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

IBM Software Group

AOI Security in V8 and Before
§ Automated Operator Program commands

– Type 1 AOI - CMD calls
• SMU transaction command security •SECURITY... TRANCMD = NO | YES | FORCE /NRE or /ERE COLDSYS ... TRANCMDS | NOTRANCMDS •SMU definitions
} Which commands can be executed by a specific program } Which programs can execute a specific command
Ignored in V10

)(CTRANS AUTOCTL TCOMMAND START TCOMMAND STOP )(TCOMMAND STOP CTRANS AUTOCTL CTRANS ADDINV

SMU to RACF Security

Page 100

101

o

m

w
w

w
w

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

IBM Software Group

AOI Security in IMS V9/V10
§ IMS V9 enhancements
1. RACF &/or DFSCCMD0 support for 1 4 Type 1 AOI CMD calls AND 4 Type 2 AOI ICMD calls 2. 2 Exec parameter, “ AOI1”in addition to existing “ AOIS”

3 New TRANSACT macro parameter 3. • Defines what is used as the userid • Affects both Type1 and Type2 AOI calls • But has slightly different meaning for each type

If you make no changes when migrating to IMS V9, AOI security will be as before
SMU to RACF Security Page 101

102

o

m

w
w

w
w

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c IBM Software Group Security Support for Type 1 AOI (CMD) § New IMS EXEC parameter to choose type of security – AOI1= N | C | R | A | S ‘ S’ is reset to ‘ R’ in V10 SMU to RACF Security Page 102 103 o m w w w w .c O W ! w .d o c u-tr a c k c u-tr a c k .d o w o .

c O W ! w .c IBM Software Group TRANSACT AOI= Parameter § New IMSGEN TRANSACT parameter – TRANSACT … .same as YES SMU to RACF Security Page 103 104 o m w w w w . AOI= YES | TRAN | CMD | NO – Relates to use of RACF/DFSCCMD0 for both types of AOI command call YES = Requests the USERID of the user who entered the transaction be authorised against the Command (in CIMS class) TRAN = Requests that the TRANCODE be used as the userid for authorization against the Command (in CIMS class) Note that è transactions have to be defined to RACF as USERIDs Type 2 commands CMD now have additional = Requests that the COMMAND CODE (first three characters of security options the command) be authorised against Trancode (in TIMS class) è the first three characters of IMS commands have to be defined to RACF as USERIDs NO = AOI Type 1 CMD calls are not allowed Not relevant for AOI Type 2 ICMD calls .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .d o w o .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .c IBM Software Group RACF Replacement for Type 1 AOI (CMD) SMU Security OLD )(CTRANS AUTOCTL TCOMMAND START TCOMMAND STOP RACF definitions: )(TCOMMAND STOP CTRANS AUTOTRAN CTRANS ADDINV NEW ADDGROUP AOCMDS ADDUSER STO DFLTGRP(AOCMDS) ADDUSER STA DFLTGRP(AOCMDS) TRANSACT CODE=AUTOCTL AOI=CMD RDEFINE TIMS AUTOCTL UACC(NONE) PERMIT AUTOCTL CLASS(TIMS) ID(AOCMDS) ACCESS(READ) ADDUSER AUTOTRAN ADDUSER ADDINV TRANSACT CODE=AUTOTRAN AOI=TRAN RDEFINE CIMS STO UACC(NONE) PERMIT STO CLASS(CIMS) ID(AUTOTRAN.c O W ! w . ADDINV) ACCESS(READ) Specify TRANSACT macro AOI= parameter in IMS definitions SMU to RACF Security Page 104 105 o m w w w w .d o w o .

.c IBM Software Group RACF and SMU Coexistence in IMS V9 § Only relevant for Type 1 AOI (CMD) calls – AOI1=S •Uses SMU security •TRANSACT AOI value ignored – AOI1=N •No authorization checking is done •TRANSACT AOI value ignored – AOI1=R|C|A •Uses RACF and/or DFSCCMD0 •TRANSACT AOI value honored – AOI1 not specified •Defaults to IMS GEN specification for SMU in V9 •Defaults to R in V10 § Final override – /NRE or /ERE .d o c u-tr a c k c u-tr a c k . V10 Ignored in V9: CMD calls not allowed V10: ignored Page 105 SMU to RACF Security 106 o m w w w w .d o w o . TRANCMDS | NOTRANCMDS V9 Use SMU..PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .c IBM Software Group Migrating Off SMU on V9 Type 1 (CMD) § Initially. specify a password to ensure that people can not signon with these userids § Add AOI=value to TRANSACT macros in IMSGEN – Can use online change – Will be ignored for type 1 commands while AOI1= indicates SMU security § Change (or add) AOI1=R to DFSPBxxx § Restart IMS (can be warm) § When safe. code AOI1=S to get SMU security § Set up required RACF definitions for type 1 commands – If define trancodes or IMS command verbs as userids.c O W ! w .d o c u-tr a c k c u-tr a c k . remove SMU definitions PK35433 and PK38522 • Program DFSKCIMS is provided to assist in the conversion of SMU statements to RACF counterparts • DFSKSMU1 and DFSKAOI1 assist in adding AOI= parameter to TRANSACT macros Page 106 SMU to RACF Security 107 o m w w w w .

d o w o .d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .c IBM Software Group Time Control Option (TCO) Security SMU to RACF Security Page 107 108 o m w w w w .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .c IBM Software Group TCO Security in V8 and Before § Time Controlled Operations (TCO) – IMS capability to execute time-initiated commands and transactions § Security support – Authorization of loading of TCO script by an LTERM •performed only by DFSTCNT0 exit – Resource authorization •Commands and Transaction security using SMU •Transaction security (only) using RACF } Command security could be requested but is not performed SMU to RACF Security Page 108 109 o m w w w w .d o c u-tr a c k c u-tr a c k .d o w o .

d o c u-tr a c k c u-tr a c k . but not in V10 – Command and Transaction security with RACF in V9/V10 SMU to RACF Security Page 109 110 o m w w w w .performed only by DFSTCNT0 exit § Resource Security – Command and Transaction security with SMU in V9.c IBM Software Group TCO Security in IMS V9/V10 § Loading of TCO scripts – No change .d o w o .c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

IBM Software Group

TCO Security with SMU
§ Uses standard SMU transaction and command security for DFSTCFI (the TCO input LTERM)
)( TERMINAL DFSTCFI COMMAND START COMMAND STOP TRANSACT STATTRN

)( COMMAND START TERMINAL DFSTCFI )( COMMAND STOP TERMINAL DFSTCFI

§ DFSCCMD0 will also be called if it exists (after SMU check) for command security
SMU to RACF Security Page 110

111

o

m

w
w

w
w

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

IBM Software Group

RACF Security for TCO in V8
§ Requires IMS EXEC parameter, RCF= A | S | R | B
– Requests RACF support for transaction and command authorisation

§ Requires a USERID
– TCO script specification of /SIGN ON tcousid tcopw
• Should also issue /SIGN OFF at end of script

– Else uses control region userid

§ Available for RACF authorization of transactions only
– TCO userid is authorised to use transactions in the TIMS class, as usual

§ Command security for TCO userid can be specified …
– … but RACF will not be called – TCO is treated by IMS V8 like a system console or master terminal • Eligible to enter any commands – DFSCCMD0 will be called if it exists

SMU to RACF Security

Page 111

112

o

m

w
w

w
w

r fo CF ds! RA an No omm c

PD

H F-XC A N GE

PD

H F-XC A N GE

O W !

N

y

bu

to

k

lic

C

m

C

lic

k

to

bu

y

N
.c

O W !
w
.d o

w

o

.d o

c u-tr a c k

c u-tr a c k

.c

IBM Software Group

RACF Support for TCO in IMS V9/V10
§ Requires new execution parameter: TCORACF = Y | N
– Specifies whether or not TCO command security is done with RACF

§ Requires RCF = A | S | R | B

R/B ignored in V10

– RACF is called for TCO command security only if TCORACF = Y is also specified

§ Requires a TCO USERID
– TCO script specification of /SIGN ON tcousid tcopw – if DFSTCFI is not required to sign on, will use IMS user ID

§ RACF will be called in standard way to authorize transactions and commands
– Using TCO USERID

§ DFSCCMD0 will be called if it exists (after RACF) for command security
SMU to RACF Security Page 112

113

o

m

w
w

w
w

however. Page 113 114 o m w w w w . was never invoked. Command authorization.d o c u-tr a c k c u-tr a c k .c IBM Software Group RACF Support for TCO .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . In IMS V9/10 (TCORACF=Y).The TCO script issues a /SIGN ON for TCOUSID ..d o w o . using the same definitions.The TCO userid (TCOUSID) is connected to a RACF group . RACF will be invoked for command authorization..c O W ! w . If so. authorization for the transaction was done.Command and transaction profiles already exist . OLD )( TERMINAL DFSTCFI COMMAND START COMMAND STOP TRANSACT STATTRN “ NEW” ADDUSER TCOUSID DFLTGRP(IMS) OWNER(IMS) PASSWORD(tcopw) PERMIT STA CLASS(CIMS) ID(TCOUSID) ACCESS(READ) PERMIT STO CLASS(CIMS) ID(TCOUSID) ACCESS(READ) PERMIT STATTRN CLASS(TIMS) ID(TCOUSID) ACCESS(READ) This example assumes: .RCF= and TCORACF=Y are specified SMU to RACF Security The above definitions could have been coded in prior releases.

c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o . remove SMU definitions SMU to RACF Security Page 114 115 o m w w w w .d o c u-tr a c k c u-tr a c k .c IBM Software Group Migrating Off SMU on V9 § Prerequisite is that RACF is used for command / transaction security – RCF= A | S | R | B R/B ignored in V10 § Define TCO userid and permissions in RACF § Add /SIGN ON to all TCO scripts § Add TCORACF=Y to DFSPBxxx § Restart IMS (can be warm) § When safe.

d o c u-tr a c k c u-tr a c k .c IBM Software Group MSC Link Receive Security SMU to RACF Security Page 115 116 o m w w w w .c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .

d o c u-tr a c k c u-tr a c k .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w . and Transaction Authorization Exit Routine (DFSCTRN0) if defined – If DFSMSCE0 exit (link receive entry point) is defined.c IBM Software Group MSC Link Receive Security in V8 § Directed Routing* – Uses RACF. RACF and DFSCTRN0 are called before and after call of DFSMSCE0 § Non-Directed routing – Uses SMU (after the DFSMSCE0 call) Note that Directed and NonNondirected routing use different userids for security •Normal transaction security using MSName as the LTERMname – Note: security checking may also have already taken place in the inputting IMS (terminal security or CHNG call security) * “ Directed Routing”is when application explicitly specifies target location • Not necessarily defined in IMS GEN SMU to RACF Security Page 116 117 o m w w w w .

d o c u-tr a c k c u-tr a c k .c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .30) ISRT TRANZ RACF DB USER2 Resource Profiles and Access Lists Directed Routing MSC LINKS SMU APPLCTN PSB=APPLX TRANSACT CODE= TRANX )( TRANSACT TRANX TERMINAL MSNAME1 *MSNAME1 is the logical link • Build user2 ACEE • Check user2 access to TRANZ (TWICE!) RACF APPLCTN PSB=APPLY TRANSACT CODE= TRANZ RACF DATA SPACE IMSB IMSC System Authorization Facility ACEEs USER1 SMU TABLES IMSP1 RACF DB USER2 Resource Profiles and Access Lists SMU to RACF Security Page 117 118 o m w w w w .c IBM Software Group MSC Link Receive Security in V8 … TRANX IMSA SMU Check System Authorization Facility TRANY RACF DATA SPACE USER1 TRANY USER2 MPP SMU TABLES ACEEs USER1 IMSA1 NonNon-Directed Routing APPLCTN PSB=APPLX TRANSACT CODE=TRANX SYSID=(01.

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .c IBM Software Group MSC Link Receive Security in IMS Version 9/10 § New DFSDCxxx parameter to specify use of RACF / DFSCTRN0 – MSCSEC=(parm1.c O W ! w .d o c u-tr a c k c u-tr a c k . parm2) • parm1 : defines types of MSC link-receive usage that require security } LRDIRECT | LRNONDR | LRALL | LRNONE • parm2 : defines type of security check to be performed } CTL | MSN | USER | EXIT | CTLEXIT | MSNEXIT | USREXIT | NONE SMU to RACF Security Page 118 119 o m w w w w .

.c IBM Software Group RACF for MSC Link Receive Security in V9/V10 § MSCSEC=(parm1.d o w o .c O W ! w . … . but V10 will have no security for non-directed routing when LRDIRECT is specified § RACF / DFSCTRN0 called once.d o c u-tr a c k c u-tr a c k .) – LRDIRECT = Link Receive Directed Routing tran security checking – LRNONDR = Link Receive Non-Directed Routing tran security checking – LRALL – LRNONE = LRDIRECT and LRNONDR = No Link Receive security checking § V8 compatibility is provided with LRDIRECT – V9 will use SMU security for non-directed routing.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . after DFSMSCE0 § The USERID to be used is defined by MSCSEC parm2 or DFSMSCE0 Exit SMU to RACF Security Page 119 120 o m w w w w .

CTL | MSN | USER | EXIT | CTLEXIT | MSNEXIT | USREXIT | NONE) CTL MSN USER EXIT CTLEXIT MSNEXIT USREXIT NONE = = = = = = = = Use userid of control region Use MSNAME as the userid Use the terminal user’ s userid Authorization by user exit alone (DFSCTRN0) Use ctl regn userid for RACF and call DFSCTRN0 Use MSNAME as userid for RACF and call DFSCTRN0 Use terminal user’ s userid for RACF and call DFSCTRN0 No Security authorization checking Note: with RACF..PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .. § MSCSEC=(… … . But security environment for an end user is built and deleted for each message.c IBM Software Group RACF for MSC Link Receive Security in V9/V10 . parm2) – Specifies what is used as “ userid”for transaction security check – MSCSEC=(LRDIRECT | LRNONDR | LRALL | LRNONE .d o c u-tr a c k c u-tr a c k . security environment for control region or MSNAME is built once when first used.c O W ! w .. SMU to RACF Security Page 120 121 o m w w w w . and retained.

Group name.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . control region or MSName SMU to RACF Security Page 121 122 o m w w w w .c IBM Software Group New Role for DSFMSCE0 Link Receive Processing § Traditionally. directed and non-directed routing have used different userids for security – To achieve this in future will require the use of DFSMSCE0 exit § Additional data is passed to DFSMSCE0 – Userid. and Userid indicator § DFSMSCE0 can override MSCSEC PARM2 value – In other words. DFSMSCE0 link receive processing can – •Enable or disable security check •Enable or disable use of DFSCTRN0 •Choose what userid to use for RACF security } user.c O W ! w .d o c u-tr a c k c u-tr a c k .d o w o .

c IBM Software Group Migrating Off SMU with IMS V9 § When migrating to IMS V9.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . and take default MSCSEC values (LRDIRECT.CTL) § Decide what type of userid to use for directed and non-directed routing – Easier when both the same.USER |MSN |CTL) § Restart IMS § When safe. but can be different § Update RACF to include new userids (MSNAMEs and Ctl Rgn) if necessary.USER) • or authorise control region for transaction execution. code DFSMSCE0 accordingly § Change DFSDCxxx to include – MSCSEC=(LRALL.d o w o . and grant their access to transactions § If using two types of userid. add to DFSDCxxx – MSCSEC=(LRDIRECT.c O W ! w .d o c u-tr a c k c u-tr a c k . remove SMU definitions SMU to RACF Security Page 122 123 o m w w w w .

d o w o . /UNLOCK and /SET Security SMU to RACF Security Page 123 124 o m w w w w .d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c IBM Software Group /LOCK.c O W ! w .

/UNLOCK and /SET Security in V8 § SMU is used to provide Password Security Password is associated with specific resource – e.c O W ! w ..d o w o . /LOCK DATABASE payroll (uomecash) /SET TRANSACTION paytran (uomecash) – Note: these passwords can not be used with ETO terminals (ETO and SMU are incompatible) § Definitions to achieve SMU /LOCK and /SET password security – IMSGEN SECURITY Macro : PASSWD=YES •Can override with /NRE or /ERE COLDSYS PASSWORD – SMU Definitions )( DATABASE PAYROLL PASSWORD UOMECASH )( PASSWORD UOMECASH DATABASE PAYROLL PROGRAM PAYPROG TRANSACT PAYTRAN Page 124 or SMU to RACF Security 125 o m w w w w .g.d o c u-tr a c k c u-tr a c k .c IBM Software Group /LOCK.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

/UNLOCK and /SET Security § An “ end user manager” can LOCK and UNLOCK his users’ LTERMs – One or more LTERMs for a physical terminal – Only he knows the password to do this (when using SMU) § Similarly he can SET the destination transaction code for a terminal – Only he knows the password to do this (when using SMU) § Senior operators can LOCK and UNLOCK DBs. these “ special people”are explicitly authorized to LOCK. UNLOCK and SET specific resources SMU to RACF Security Page 125 126 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .c IBM Software Group Use of /LOCK.d o c u-tr a c k c u-tr a c k .d o w o . programs and transactions – Only they know the passwords to do this (when using SMU) § In IMS V9/V10 with RACF.

/SET commands AND must be authorized for use of specific resource § Password security is still available in V9 and V10 – In V9. TRAN respectively Does not apply to /LOCK or /UNLOCK of NODE or PTERM • If resource is not defined to RACF.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k . IIMS. /UNLOCK. TIMS } for LTERM. RACF REVERIFY password support can be requested • User’ s signon password is used for reverification SMU to RACF Security Page 126 127 o m w w w w .c O W ! w . /UNLOCK and /SET Security in IMS V9/V10 § New DFSDCxxx parameter : LOCKSEC = Y | N – N = No authorization checking • standard command security will still apply – Y = Calls RACF (and DFSCTRN0 if TRAN) • RACF classes: LIMS. access will be granted § RACF security is based on user’ s userid – Userid must be authorized to issue /LOCK. PIMS.c IBM Software Group RACF /LOCK.d o w o . PSB. SMU checking can still be requested (done before RACF) – In V9/10. DB.

Programs (PSBs).c O W ! w . and Transactions § Grant authority for using these resources to the appropriate userids § Add LOCKSEC=Y to DFSDCxxx § Restart IMS § When safe.d o c u-tr a c k c u-tr a c k . DBs.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . remove SMU definitions § Inform users that passwords are no longer needed SMU to RACF Security Page 127 128 o m w w w w .c IBM Software Group Migrating Off SMU with V9 § Define to RACF all resources that need to be LOCKed or SET – LTERMs.d o w o .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .d o w o .c IBM Software Group Sign On Verification Security SMU to RACF Security Page 128 129 o m w w w w .d o c u-tr a c k c u-tr a c k .

c IBM Software Group Signon Verification Security in V8 § SMU method for static terminal Signon Verification – Defines which static (non-ETO) terminals must /SIGN ON )( SIGN STERM TERM1 STERM TERM2 STERM TERM3 .d o w o .. or STERM ALL – Requires SECURITY SECLVL=SIGNON or FORCSIGN – … and typically requests RACF verification of userid/password with SECURITY TYPE=RACFTERM SMU to RACF Security Page 129 130 o m w w w w .d o c u-tr a c k c u-tr a c k .c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N ..

.c O W ! w .. and MTOs) •SPECIFIC : based on OPTIONS of TYPE/TERMINAL macro § Addition to the OPTIONS parameter on the TYPE and/or TERMINAL macros – OPTIONS = (.c IBM Software Group Signon Verification Security in IMS Version 9/10 § Does not require RACF (or SMU) § New startup parameter in DFSDCxxx – SIGNON = ALL | SPECIFIC •ALL : all static terminals (except 3284/3286.SIGNON | NOSIGNON) •Specification on TERMINAL macro overrides TYPE § In V9. then SMU takes precedence SMU to RACF Security Page 130 131 o m w w w w .. if a TERMINAL has both a SMU STERM specification and a conflicting OPTIONS=NOSIGNON.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o . SLU1 printers.d o c u-tr a c k c u-tr a c k .

c IBM Software Group Migrating Off SMU with IMS V9 For “ ALL” § Add SIGNON=ALL to DFSDCxxx § Restart IMS For “ SPECIFIC” PK35433 and PK38522 • Programs DFSKSMU1 and DFSKSMU2 are provided to assist in the conversion of )(SIGN SMU statements to the OPTIONS SIGNON parameter on the TERMINAL macros • Skeleton DFSKSMJS is provided as sample JCL for invoking DFSKSMU1 and DFSKSMU2 § Add OPTIONS=(… SIGNON… ) for all TERMINALs which currently have an explicit SMU signon requirement § Add SIGNON=SPECIFIC to DFSDCxxx § Restart IMS § When safe.d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . remove SMU definitions SMU to RACF Security Page 131 132 o m w w w w .c O W ! w .d o c u-tr a c k c u-tr a c k .

c IBM Software Group Other Considerations SMU to RACF Security Page 132 133 o m w w w w .d o c u-tr a c k c u-tr a c k .c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . DFSCCMD0).d o w o .c O W ! w . – Protect the static LTERMs with the LIMS resource class – Define the commands (there are about 50) and/or transaction codes as userids – In DFSCCMD0/DFSCTRN0. For example.c IBM Software Group Implementing LTERM Security with RACF § SMU can be used to provide LTERM-based transaction and/or command security (for static LTERMs) )( TERMINAL LTERM5 COMMAND DIS TRANSACT TRANA § Equivalent security can be provided by RACF.d o c u-tr a c k c u-tr a c k . invoke RACF to VERIFY the IMS command/transaction as a userid. but requires that RACF be called from the Transaction and/or Command Authorisation Exits (DFSCTRN0. and authorize it against the LTERM name SMU to RACF Security Page 133 134 o m w w w w .

call RACF to authorize user ID/group to the resource class using the applicable resource combinations § The IBM tool.c IBM Software Group Implementing LTERM Security with RACF § Or.d o c u-tr a c k c u-tr a c k . and similarly for trancode.LTERM5 – In DFSCCMD0/DFSCTRN0.LTERM5. DIS.g.d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . TRANA. – Create FACILITY class RACF profiles of command.lterm –e. “ IMS ETO Support for z/OS”can be used to provide SMU-like security for – TRANSACTION/ LTERM – TRANSACTION/PASSWORD – COMMAND/LTERM without requiring any user coding of the IMS Exits – It supports both Static and Dynamic terminals SMU to RACF Security Page 134 135 o m w w w w .g.lterm –e.c O W ! w . for even tighter security.

by requiring the user to enter the SMU-defined password that is associated with a transaction or command (or resource for /LOCK.c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c IBM Software Group Implementing Password Security with RACF § SMU can provide additional protection for signed on static terminals. /UNLOCK and /SET) § RACF Solution – Applies to static and ETO terminals – Use the REVERIFY facilities in IMS and RACF • Specify RVFY=Y in IMS • Specify 'REVERIFY' in the APPLDATA section of the RACF profile for the transactions and command – Requires a signed on user to reenter the signon password with the transaction or command input /DBR(mypassw) DATABASE XYZ SMU to RACF Security Page 135 136 o m w w w w .d o c u-tr a c k c u-tr a c k .d o w o .

lEnable RCF= value to something other than "N" IMS cold start –Requires lSpecify –Turn NORSCCC(MODBLKS) in DFSCGxxx off resource consistency checking for Matrix data sets in an IMSplex environment 136 137 o m w w w w ...c O W ! w .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .c Migration Considerations .

d o c u-tr a c k c u-tr a c k . lConsider possible conflicts of trancodes for AOI and current userids for users –Possible MSNAME conflicts also lDefine –V9 Matrix data sets still required.d o w o ...PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w . but may be empty no longer needed –V10 137 138 o m w w w w .c Migration Considerations .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Migration Considerations .d o w o .c O W ! w .d o c u-tr a c k c u-tr a c k ... lAny of the following SECURITY macro options activate SMU – PASSWD=YES or PASSWD=FORCE Override /NRE NOPASSWORD – TERMNL=YES or TERMNL=FORCE Override /NRE NOTERMINAL – TRANCMD=YES or TRANCMD=FORCE Override AOI1=R – TYPE=RACFAGN or TYPE=AGNEXIT Override ISIS=R 138 139 o m w w w w .

DFSCCMD0.d o w o .. DFSISIS0.c O W ! w ..c Migration Considerations .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k . § AOI considerations – CMD has new status code and new return/reason (AIB) codes – ICMD has new return/reason codes § Log record (type X ‘ 10’ ) has new error codes § New and changed Exits – DFSRAS00. DFSMSCE0 139 140 o m w w w w .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .d o c u-tr a c k c u-tr a c k . specify OPTIONS=SIGNON on applicable TYPE/TERMINAL macros 140 141 o m w w w w .SMU to RACF lTranslate –Make AGN definitions to RACF sure new classes are activated in RACF new RAS parameters macro or execution ISIS parameter –Define ŸSECURITY –Create DFSRAS00 to replace DFSISIS0 JCL for AGN= specifications –Review lFor static terminals required to sign on SIGNON=ALL|SPECIFIC parameter in DFSDCxxx –Specify –Optionally.d o w o .c Migration Checklist .

lEnable SAF support for TCO command authorization and RCF=A|S|R|B –TCORACF=Y lReview –Specify –For AOI requirements AOI parameter on TRANSACT macro where needed TYPE 1 CMD security.c O W ! w .c Migration Checklist .d o c u-tr a c k c u-tr a c k .SMU to RACF . additionally specify AOI1 = A|N|C|R|S lMigrate – Specify /LOCK and /UNLOCK security LOCKSEC=Y in DFSDCxxx 141 142 o m w w w w ..d o w o ..PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

. lReview –Specify MSC requirements for link receive security use of SAF/DFSCTRN0 and level of authorization checking in the new MSCSEC parameter in DFSDCxxx DFSMSCE0 if needed RACF profiles on sending and destination systems –Modify –Synchronize lDetermine the need to change or write exit routines 142 143 o m w w w w .d o c u-tr a c k c u-tr a c k ..PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Migration Checklist .SMU to RACF .c O W ! w .d o w o .

d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Click to edit Master title style SMU TO RACF CONVERSION UTILITIES 143 144 o m w w w w .d o w o .c O W ! w .

c O W ! w .c IBM Software Group SMU to RACF CONVERSION UTILITIES SMU to RACF Conversion Utilities § A set of stand-alone programs and JCL § Delivered via PTF § Documented in PSP bucket: UPGRADE IMS910 SUBSET SMU2RACFCON Page 144 145 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .d o c u-tr a c k c u-tr a c k .

PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .c IBM Software Group SMU to RACF CONVERSION UTILITIES PTFs on IMS V9 and IMS V10 provide a set of utilities to help migrate SMU to RACF § IMS V9: § PK68453/UK38824 § PK66015/ UK37339 § PK56106/UK32791 § PK54996/UK32790 § PK38522/UK28607 § PK35433/UK21894 § IMS V10 § PK69107/UK38825 § PK66030/ UK37313 § PK56185/UK33359 § PK58281/UK32794 § PK49538/UK31516 Page 145 146 o m w w w w .c O W ! w .d o c u-tr a c k c u-tr a c k .

c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . /UNLOCK and /SET commands with passwords 4 DFSKSTG0 Stage 1 Analysis report will provide advice on what is required § Static terminal Signon verification 4 Use DFSKSMU1 and DFSKSMU2 to add SIGNON option to TERMINAL macros in Stage 1 Page 146 147 o m w w w w .c IBM Software Group SMU to RACF Conversion Utilities § Application Group Name (AGN) security 4 Use DFSKAGN0 to generate RACF RAS definitions § Type 1 Automated Operator Interface (AOI) 4 Use DFSKDIMS (optional) and DFSKCIMS to generate RACF statements 4 Use DFSKSMU1 and DFSKAOI1 to add AOI parameter to TRANSACT macros in Stage 1 § Terminal security for Time-Controlled Operations (TCO) 4 Use DFSKDIMS (optional) and DFSKCIMS to generate RACF statements for LTERM DFSTCFI § MSC link-receive security 4 DFSKSTG0 Stage 1 Analysis report will provide advice on what is required § /LOCK.d o c u-tr a c k c u-tr a c k .d o w o .

d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o . )( CTRANS and )( TCOMMAND –may have to convert different subsets of SMU source in different ways § The Stage 1 Analysis Report documents all the appropriate tasks for migrating off SMU Page 147 148 o m w w w w .e.g.c O W ! w .c IBM Software Group SUMMARY § IMS 9 and IMS 10 include a set of utilities to simplify and expedite the migration from SMU 4 Supplied via PTFs 4 Addresses the most manually intensive tasks 4 Creates corresponding RACF statements 4 Updates IMS Stage 1 TRANSACT &/or TERMINAL macros as needed § Not meant as a total solution! 4 Generated RACF statements may well require additional editing 4 Customers using different flavors of the same type of SMU security .

c O W ! w .c Click to edit Master title style References 148 149 o m w w w w .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .

c O W ! w .pdf 149 150 o m w w w w .com/redbooks/pdfs/sg246398.com/ims § IMS Version 9 Implementation Guide – Chapter 6 SG24-6398 http://www.ibm.d o w o .c References for Security Information § IMSV10 System Administration Guide –Chapter 8 SC18-9718-00 available for viewing or download at http://www.ibm.com/ims § IMSV9 System Administration Guide –Chapter 4 SC18-7807-00 available for viewing or download at http://www.redbooks.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .ibm.

c O W ! w .d o c u-tr a c k c u-tr a c k .c References for Security Information § IMSV7 Performance Guide (Redbook) Chapter 19 SG24-6404 http://www.pdf § IMS Primer (Redbook) Chapter 24 SG24-5352 http://www.ibm.redbooks.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .ibm.com/redbooks/pdfs/sg245363.com/redbooks/pdfs/sg245352.d o w o .com/redbooks/pdfs/sg246404.redbooks.pdf § IMSV6 Security Guide (Redbook) (still valid despite its age) SG24-5363 http://www.redbooks.pdf § z/OS Security Server RACF Security Administrator's Guide SA22-7683-11 Chapter 16: RACF and IMS (concise but missing updates) 150 151 o m w w w w .ibm.

IMS Connect.ibm. and the MQSeries Bridge Application“ – "Converting IMS SMU Security to RACF with V9" 151 152 o m w w w w .c O W ! w .com/software/data/ims/shelf/presentations/ Especially: – "Security Options and Considerations for OTMA.c References for Security Information § Presentations http://www-306.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o .d o c u-tr a c k c u-tr a c k .

html 152 153 o m w w w w .com/servers/eserver/zseries/zos/racf/goodies.d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .ibm.c O W ! w .d o w o .com/redbooks/GG243984/ § Other RACF “ goodies” : http://www-03.ibm.c RACF tools § RACTRACE tool –can trace every RACF call from selected address space via WTO The tool and documentation can be downloaded from : ftp://www.redbooks.

d o c u-tr a c k c u-tr a c k .ibm.d o w o . Roadshows and other events – Samples submitted by IBM and customers (IMS Examples Exchange) – Presentations/papers – Library – IMS Tools and the Tools library – Information Center – IMS Newsletters 153 154 o m w w w w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .com/ims contains links to – Upcoming Webcasts.c O W ! w .c Visit the IMS Home Page Frequently § www.

d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .ims-society.d o w o .com IMS Society http://www.php 154 155 o m w w w w .bmc.com/ Virtual IMS Connection http://www.com/board/index.c Online User Forums IMS-L http://imslistserv.c O W ! w .virtualims.

d o c u-tr a c k c u-tr a c k .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w .ibm.com 845-620-5762 155 156 o m w w w w .c Call or Write Maida Snapper maidalee@us.d o w o .

c O W ! w .c Click to edit Master title style Hints and Tips and FAQs 156 157 o m w w w w .d o c u-tr a c k c u-tr a c k .d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

If there is an existing DFSISSOx in the MATRIX dataset. Starting IMS with NOTRANCMDS means transactions cannot issue the CMD call. the utility will not delete it. do I need to COLD start? YES! Changing the RCF parameter requires a COLD start of IMS to take effect. TRANCMD=NO or AOI1=N turns off security for CMD calls.c O W ! w .c SMU Conversion FAQs 1) When I change the RCF value. You need to do that yourself by deleting or renaming it. This applies to any of the MATRIX dataset members when all of their corresponding control statements have been removed from SMU. IMS bypasses the RACF check for commands from the System Console and MTO. 3) I removed all my STERM statements from SMU. Why are all CMD calls now being rejected? In IMSV9 TRANCMD=NO on the SECURITY macro and NOTRANCMDS on an IMS restart do not have the same effect. 4) I tried to turn off Type 1 AOI security by starting IMS with /NRE NOTRANCMDS. In IMSV10 NOTRANCMDS is ignored. 157 158 o m w w w w . 2) How do I convert the SMU TERMINAL statements for WTO and MTO to RACF? If your SMU allows WTO and MTO to do all commands then no action is necessary. Why does IMS still see them? If you have no STERM statements then the Security Gen (DFSISMP0 SMU utility) will not produce a new version of member DFSISSOx.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o c u-tr a c k c u-tr a c k .d o w o .

to sign on if I can’ t code it in the IMSGEN? The only way to force the TCO terminal to sign on is to code SIGNON=ALL in DFSDCxx. DFSTCF. the TCO terminal will not be required to sign on. the RACF ACEE for the TCO user ID will be deleted at signoff time. the script will execute. 7) Why are some of the commands in my TCO script being rejected by RACF even though I have a valid TCO user ID that signs on in the script? If you put a /SIGN OFF at the end of the TCO script. Recommend you do not put /SIGN OFF in the script.d o w o . then RACF will use the IMS control region user ID. If you code SIGNON=SPECIFIC or SIGNON=NONE. If the IMS control region user ID is authorized to do the transaction or command.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . 158 159 o m w w w w . 6) Why does my TCO script execute even though I didn’ t put a valid user ID and password sign on in the script? If TCO doesn’ t sign on or signs on and fails verification and you do not require the TCO terminal to sign on (see above).c SMU Conversion FAQs 5) How can I force the TCO terminal.d o c u-tr a c k c u-tr a c k . The exception to this is when you do not require the TCO terminal to sign on and the IMS control region is authorized to do the transaction or command. Any time-initiated commands or transactions scheduled to execute at a later time will fail the RACF check.c O W ! w .

If you remove the TERMINAL and PASSWORD statements from SMU but you still have TERMINL=YES and/or PASSWORD=YES specified on the SECURITY macro. During your SMU migration. IMS will issue the DFS171A message at initialization. if you removed TERMINAL statements from your SMU but did not set TERMNL=NO. 9) Why am I getting a DFS171A Security Load Failed after I removed all my SMU statements and emptied my MATRIX dataset? If your SECURITY macro specifies TERMNL=YES and/or PASSWORD=YES. This is an informational message and IMS will come up.c O W ! w .c SMU Conversion FAQs 8) Why is SMU rejecting transactions even though I specified RACF for transaction authorization and I removed all the TERMINAL statements from SMU? If RACF security is specified for transactions from static terminals. then IMS will do both RACF and SMU security checks for transactions from static terminals.d o w o . This only applies to transactions. IMS expects to be able to load the MATRIX dataset member that contains SMU TERMINAL statements or SMU PASSWORD statements.d o c u-tr a c k c u-tr a c k . and if the SECURITY macro specifies TERMNL=YES or PASSWD=YES. not commands.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . static terminal users could receive SMU security violations even though they are authorized by RACF. The SMU checks will be done after the RACF checks. 159 160 o m w w w w .

1. do I have to code OPTIONS=SIGNON on every static terminal macro? No. specify the OPTIONS=SIGNON on the MTO’ s TYPE or TERMINAL macro.d o c u-tr a c k c u-tr a c k . 3284/3286. This requires all static terminals to sign on except MTO. 160 161 o m w w w w . and SLU1 printer-only devices. 12) If I want all my static terminals to sign on.c SMU Conversion FAQs 10) Do I have to remove the AGN parameter on all my BMP jobs when I convert from SMU to RACF? No. LU6. The AGN parameter on all procedures is valid for compatibility and ignored.c O W ! w . 11) Do I have to change ISIS=0 to ISIS=N for IMS V10? It depends on what your SECURITY macro specifies. When you want all of your static terminals to sign on. you can specify SIGNON=ALL in the DFSDCxxx PROCLIB member.1. If you want the MTO to sign on. 13) Why are CMD calls being rejected even though I coded AOI1=R? AOI1=R has no effect unless AOI= is coded on the TRANSACT macro.2 which means the TYPE specification on the SECURITY macro will be used to determine the setting for RAS security.d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . IMSV10 ignores ISIS=0.

If the AOI program is a DRA THREAD. If the AOI program is a BMP. If the USER parameter is Not specified. IMS will use the LTERM name as the user ID and try to create an ACEE for it. If the ISC transaction makes a CHNG call.c SMU Conversion FAQs 14) What user ID is used for AO application programs when AOI=YES in the TRANSACT macro? If the AOI program is MPP or IFP and a message GU call has completed.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c O W ! w . If GU is not issued. 161 162 o m w w w w . then the IMS control region user ID is Used when IMS calls RACF. If the IMS control region user ID is authorized. then the Transaction Authorization Exit (DFSCTRN0) will be called for further checking. 15) How can I convert SMU LTERM security to RACF transaction authorization for transactions coming over an ISC link from a device that is unable to sign on? One possible approach: if sign on is not required.d o w o . the security token that is passed in the PAPL for a schedule request is used to determine whether the user can issue command calls. If GU is not issued or if the BMP is non-message driven.d o c u-tr a c k c u-tr a c k . PSB name is used. the user ID is the user of a signed-on terminal or the LTERM name of the signed-off terminal where the transaction is issued. the user ID is the user at the signed-on terminal or the LTERM name of the signed-off terminal where the transaction is issued. a user ID of 0000000 is used. You could create a user ID for the LTERM name or use the Security Reverification Exit (DFSCTSE0) to override the RACF failure. the value of the USER parameter specified on the JCL JOB statement is used. and a message GU call has completed.

IMSV10 provides the option of opening RECON for read-only access 162 163 o m w w w w .I.d o w o . (Application programs may not be able to do AUTH calls. If you don’ t define the F. a COLD start is required for the change to take effect. IMS will abend at initialization with a U0166 abend.P classes.d o c u-tr a c k c u-tr a c k .) 5) In IMSV9. be sure users have authorization to all 3 RECON datasets.L classes in the RACF CDT and ACTIVATEd them in RACF before you start IMS. 2) If you protect the RECONs in RACF. IMS will issue informational msg DFS2466I but not abend. You don’ t have to define any resource profiles in the classes but the classes must be defined to RACF in the CDT. If the VSAM open for either RECON1 or RECON2 fails because of a RACF security violation. be sure you have defined your new C.O. all IMS jobs. If required classes are not defined. utilities and subsystems in which DBRC is active require CONTROL access to the RECONs.c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .S.T. IMS interprets the open failure as an I/O error and discards that RECON dataset 3) Opening a VSAM dataset for update requires CONTROL access in RACF (for CI split processing) 4) If you change the RCLASS and request RACF security.c Hints and Tips 1) If you change the RCF parameter.

IMS calls RACF to create an ACEE based on the user ID and group name that was passed from the FE in the IOPCB. If RACF database is not shared.d o c u-tr a c k c u-tr a c k .d o w o . When either the AOIS or CMDMCS startup values indicate that DFSCCMDO (Command Authorization Exit) is to be invoked. recommend keeping them in synch. If CMDMCS=R. No DBRC security check is done. DFSCCMD0 must be included in the IMS system or IMS abends with a U0718 at initialization. If transaction authorization is activated on the BE and the application issues a CHNG call. the user must be attached to the same RACF group on the BE as he is on the FE or authorization on the BE will fail: INVALID GROUP. 7) 8) 9) 163 164 o m w w w w . the userid of the MCS console is checked by RACF before allowing the command. If the BE uses a different RACF database. /RM commands are automatically authorized if they come from the MVS console or the IMS master.c Hints and Tips 6) CMDMCS guides the authorization of IMS commands that originate from MCS consoles.c O W ! w .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . An input message going from front end IMS to back end IMS includes the user ID and group name. then the DBRC security check is not done. If the command is a DBRC command (/RMx) and the /RMx command is authorized by the CMDMCS RACF check.

This means sign on may be required for transactions. ODBASE will be used for ODBA. Copying the exit to RESLIB is not enough.d o w o .c O W ! w . you need to relink the IMS Nucleus (DFSVNUCx) to pick up the exit.c Hints and Tips 10) If SIGNON=SPECIFIC in DFSDC then NOSIGNON will be default for all static terminals 11) Console and Master are never required to sign on and not impacted by STERM ALL or SIGNON=ALL 12) IMS bypasses the RACF check for commands from the system console and MTO.d o c u-tr a c k c u-tr a c k . 15) You can do an IMSGEN with TRANEX specified and not have a Transaction Authorization exit. There will be an unresolved reference for DFSCTRN0. Transactions from the system console are handled the same as transactions coming from any static terminal. DB2 stored procedures) can be secured using APSB security by specifying ODBASE=Y (and RACF turned on) or you can use RAS security by specifying ISIS=R. If both ODBASE and ISIS are specified. 13) RACF does not have to be enabled for every type of input source. 164 165 o m w w w w . If this exit is later added. For example.g. 14) ODBA (e. it’ s ok to say RCF=N and ISIS=R to have RACF RAS security but no RACF security for commands or transactions from SNA terminal users.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .

If you define a profile and use generic characters such as (*) to add members to the profile. RDEF GIMS GIMSGRP ADDMEM(ABC*) RLIST GIMS ABCD RESGROUP ABC* will not appear in the RLIST output. For example: RLIST CIMS EXI RESGROUP RLIST RESGROUP does not support generic matches.c O W ! w . it causes an exclusive enqueue on the data set. 18) To find out if more than one profile protects a particular resource. 165 166 o m w w w w . For example.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . /SIGN with NEWPW and VERIFY. If there is an existing DFSISSOx in the MATRIX dataset.d o w o .c Hints and Tips 16) An AOI program issuing an unauthorized CMD call will receive a CD status code. You need to remove the member yourself by deleting or renaming it. issue the RLIST command with the RESGROUP operand. 17) Any time IMS issues a RACROUTE that results in an update of the RACF database.d o c u-tr a c k c u-tr a c k . This applies to any of the MATRIX dataset members when all of their corresponding control statements have been removed from SMU. For example. RLIST RESGROUP will not return any of the matching profiles in its output. the utility will not delete it. 19) If you have no STERM statements then DFSISMP0 (SMU utility) will not produce a new version of member DFSISSOx.

You could create user IDs for the LTERM names or use DFSCTSE0 to override the RACF failure.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .c Hints and Tips 20) Sample approach to replace LTERM security for an ISC link that doesn’ t sign on: If signon is not required. During your SMU migration. not commands 166 167 o m w w w w . The SMU checks will be done after the RACF checks are done. if you removed TERMINAL statements from your SMU but did not set TERMNL=NO. static terminal users can receive SMU security violations even though they are authorized by RACF. 21) If you implement TCORACF security you need a /SIGN ON in the TCO script with a user ID and password. This will create an ACEE for the TCO user ID to authorize transactions and commands issued by the script. You could then use the DFSCTRN0 exit to check security.d o c u-tr a c k c u-tr a c k . the ACEE will be deleted and any time-initiated commands or transactions scheduled to execute at a later time will fail the RACF check. then the CTL region user ID is used on the FASTAUTH against the transaction name. Recommend you do not /SIGN OFF 22) If RACF security is specified for transactions from static terminals. If the ISC transaction subsequently makes a CHNG call. IMS will use the LTERM name as the user ID and try to create an ACEE for it.d o w o . and if the SECURITY macro specifies TERMNL=YES/FORCE or PASSWD=YES/FORCE. then IMS will do both RACF and SMU security checks for transactions from static terminals. This only applies to transactions.c O W ! w . If you put a /SIGN OFF in the script.

* CLASS(FACILITY) ID(JONES) ACCESS(READ) RDEF FACILITY PROD.DB.DB DBD(AAA) but Jones can list database AAA by using LIST.c Hints and Tips 23) RACF always uses the most specific (discrete) profile it can find for the resource.DB.AAA CLASS(FACILITY) ID(SANCHEZ)ACCESS(READ) •Jones cannot do LIST.LIST.DB.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .LIST. 167 168 o m w w w w .d o w o .DB ALL Be aware of things like this: RDEF TIMS ** UACC(NONE) PERMIT ** CLASS(TIMS) ID(JONES) ACCESS(READ) RDEF TIMS ADDINV UACC(NONE) PERMIT ADDINV CLASS(TIMS) ID(SANCHEZ) Jones cannot access ADDINV transaction.LIST.DB. Be aware of things like this: RDEF FACILITY PROD.AAA UACC(NONE) PERMIT PROD.LIST.* UACC(NONE) PERMIT PROD.c O W ! w .d o c u-tr a c k c u-tr a c k .

ISIS=0.2 are ignored and ISIS will default to the TYPE specification on the SECURITY macro for RAS security. then every dependent region will need to be authorized to the IMSid protected in the APPL class. 26) AGN coded on procedures is valid for compatibility but ignored.c Hints and Tips 24) If USER1 is in the access list of the generic ** profile and there is another access list for a specific member of that same class then USER1 will not have access to that specific member. For example: PE ** CLASS(CIMS) ID(MAIDA) ACCESS(READ) PE DIS CLASS(CIMS) ID(JAMES) ACCESS(READ) results in MAIDA having access to all commands except /DIS.d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . 27) RACF ALTER access is required to extend database datasets to new candidate volumes. 29) CIMS resource names must be the first 3 characters of the IMS command. 168 169 o m w w w w . 25) In IMSV10.d o c u-tr a c k c u-tr a c k . 28) If you activate RAS security.1.c O W ! w .

If you remove all TERMINAL and/or PASSWORD statements from SMU and you have TERMNL=YES and/or PASSWORD=YES specified on the SECURITY macro. 31) With TERMNL=YES specified on the SECURITY macro. /RDISPLAY and /RMLIST commands and the /DIS command will not be accepted from an APPC device. not transactions.c O W ! w . RACF uses the ACEE of the “ default environment”for authorization.) The “ default environment”could be the IMS control region or it could be the dependent region.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . (ETO terminals are always required to sign on.c Hints and Tips 30) If sign on is not required and the user does not sign on. but you did not specify a value for APPCSE. /LOG.d o w o . IMS expects to be able to load the MATRIX member that contains PASSWORD statements. 33) Default security only applies to commands. IMS will issue the DFS171A msg at initialization. With PASSWORD=YES specified on the SECURITY macro. you will get default security for commands entered from source. For example. 169 170 o m w w w w . 32) When no command security is specified for a given input source. if you set up RACF command authorization to allow /DIS from terminals. then the default security for APPC allows only /BROADCAST. This is informational and IMS will still come up.d o c u-tr a c k c u-tr a c k . IMS expects to be able to load the MATRIX dataset member that contains SMU TERMINAL statements.

35) You might have to recycle IMS to grant new dataset access. not the grouping class (e.g. 170 171 o m w w w w . all action items (other than changing profiles) are against the MEMBER class.c Hints and Tips 34) Unless you have RACF configured for SYSPLEX communication. DIMS). If the access was given to IMS or a GROUP IMS was already connected to.c O W ! w . then SETROPTS REFRESH GENERIC(DATASET) needs to be issued. 36) When you have class pairs of MEMBER and GROUP types. If new access is given to a GROUP and IMS was not previously connected to that GROUP. CIMS). a SETR RACLIST(TIMS) REFRESH on SYSA is not propagated to SYSB. You have to issue the same command on SYSB as well. You only need to refresh the RACF dataspace by issuing SETR RACLIST(classname) REFRESH Classname should always be the member class (e. then IMS will need to be recycled.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N .d o w o . If the profile is generic.g.d o c u-tr a c k c u-tr a c k . You don’ t have to recycle IMS for RACF resource profiles changes to take effect. then refreshing the profile should be enough.

RACF looks for: a) Discrete CIMS profile (merged with information from DIMS class and the ADDMEMs referenced in DIMS profiles as matches for the CIMS profiles) and use the most restrictive b) If no discrete CIMS profile is found but there are CIMS or DIMS generic profiles then the "best" or most accurate match is used.PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . For example. RDEF CIMS ** UACC(NONE) covers all commands that do not have their own profile in CIMS or a DIMS group.c Hints and Tips 37) The ** (G) profile covers all resources NOT already defined in the class.d o w o . the ** (G) profile covers all other IMS commands not already defined in the CIMS as either DISCRETE or GENERIC.c O W ! w . This final profile is often called the backstop or profile of last resort 171 172 o m w w w w . c) Finally.d o c u-tr a c k c u-tr a c k .

d o w o .PD H F-XC A N GE PD H F-XC A N GE O W ! N y bu to k lic C m C lic k to bu y N . If a user is in more than one access list for the same resource.d o c u-tr a c k c u-tr a c k . the information is merged and the most permissive (least restrictive) ACCESS is used. (see z/OS: Security Server RACF Security Administrator's Guide: Resolving Conflicts among Multiple Profiles) Be aware of things like this: RDEF DIMS DBAGROUP(ADDMEM DBR) UACC NONE RDEF DIMS SYSPROG(ADDMEM DBR) UACC NONE PE DBAGROUP CLASS(DIMS) ID(JOE) ACCESS(NONE) PE SYSPROG CLASS(DIMS) ID(JOE) ACCESS(READ) After the merge.c O W ! w . When there are “ conflicts” . RACF is not called to authorize these commands.c Hints and Tips 38) Member classes and Grouping class definitions are merged when RACLISTed. JOE has READ access to the /DBR command. RACF chooses the most restrictive UACC. the most restrictive definition is used. IMS authorization calls are made against the member class. 39) If a resource name appears in more than one resource group and/or has a discrete profile of its own with conflicting UACCs. 172 173 o m w w w w . 40) The /SIGN and /RCLDST commands are the only commands that an ETO terminal can enter before it signs on.