IBM GC28-1920-01 manual OpenEdition Planning, and inOS/390 OpenEdition Programming Assembler

Page 64

OpenEdition Planning, and inOS/390 OpenEdition Programming: Assembler

OpenEdition Planning, and inOS/390 OpenEdition Programming: Assembler

Callable Services Reference. The C language support for the

pthread_security_np() function is discussedOS/390 inR2 C/C++ Run-Time

Library Reference.

Threads and	Security
An application that		usespthread_thesecurity_np	service	can customize the
RACF identity of a thread. Consider			a DCE application server on OS/390, w
accepts	requests	through DCE remote	procedure	calls (RPC). This server

a thread that processes the client's request. If the server customiz initiated for the client with the client's RACF identity, any resource

to MVS RACF-protected resources are made using the client's RACF						identity
authorizations.
The security administrator has the	option	of	enforcing	both	the applic
RACF identityand the RACF identity of	the	client	to be	used	in	resource
control decisions on OS/390.

The use ofpthreadthesecurity_np service is partially protected through a R FACILITY class profile BPX.SERVER.

ŸApplication servers that have UPDATE access to this profile can act surrogate of the2 Thisclientmeans. that only the client's RACF identity and

authorizations are used in resource access decisions processed by

ŸIf the application servers are permitted with READ access to the FACILITY class profile BPX.SERVER, two identities are used in local a

control decisions on OS/390:


–	The	RACF	identity of		the	client
–	The RACF identity of the					server
RACF	authorization			processing		enforces the requirementboth the MVSthat
user ID associated with the client and							the MVS user ID associate
server		are	authorized		to	the resource	being checked. This capabil
an	installation to			control:

– Which user IDs the server can act on behalf of

–What resources the server can access when acting on behalf of clients

This additional security checking might require additional RACF administrat authorize the server to the RACF resource profiles that the server a behalf of its clients.

Single	threaded applications cannotpthreaduse securitythe _np	service to
manage	a RACF ACEE.

2	There is	an additional security check in which a RACF	SURROGAT class profile must authorize the server to
	for the	client. For more informationOS/390 seeOp nEdition Planning.
40	OS/390	V1R2.0 Security Server (RACF) Planning: Installation	and Migration

Image 64

Contents OS/390 Security Server RACF Planning Installation and MigrationPlace graphic in this area. Outline is keyline only. DO NOT PRINT Page Security Server RACF Planning Installation and Migration Second Edition, September 1996. AllPage Page Contents MigrationCustomization Considerations Administration ConsiderationsAuditing Considerations Operational Considerations IndexChapter 10. ApplicationPage Figures Page Notices Trademarks How to Use This About This BookWho Should Use This Book xiiiWhere to Find More Information Softcopy PublicationsŸ The OS/390 Security Server RACF Information , PackageSK2T-2180 ServerAdministration, H3927 Elements of Security RACF Installation - Student GG24-3971NotesUsing the Ÿ Tutorial Options for Tuning GG22RACFOther Sources of Information IBM Discussion AreasInternet Sources listserv@uga.cc.uga.eduPublications To Request Copies ofxviii OS/390Features ServiceŸ OpenEdition ProductOSA/SF V2R5TSO/EPage Summary of Changes Page Chapter 1. Planning Migration Planning ConsiderationsMigration Administration Considerations Installation ConsiderationsCustomization Considerations Auditing Considerations Operational ConsiderationsApplication Development Considerations General User ConsiderationsPage Chapter 2. Release Overview New and Enhanced SupportOS/390 OpenEdition DCE identifiesfunction introduced in OS/390 ReleaseConcepts CheckAuthorizing and Auditing Server Access to the CCS and WLM Services Auditing the Passing of Access RightsOS/390 OpenEdition SOMobjects for MVSMultisystem Nodes RRSF Networknon-main systemsYear OS/390 Enable and Disable FunctionsTARGET NetView 1.10classes FacilityFunction Not Upgraded updated foridentifies function thatComponents for Release3. Summary of Class Descriptor Table CDTCommands lists classeswhich thereCommand Chapter 3. Summary of Changes to RACF Components for OS/390 15ReleaseData Areas Exitslists changed general-use programming interface GUPI data areMacros MessagesFigure 12 lists changes RACF macrosNew Messages Changed MessagesMessages RACF Database Split/Merge Utility IRRUT400Panels Publications LibraryRoutines Figure 13 lists RACF panels that areSYS1.SAMPLIB TemplatesFigure 16 identifies changes to RACF members of SYS1.SAMPLIB RACROUTE REQUEST=EXTRACTFigure 18 lists changes to RACF utilities for OS/390 Release UtilitiesTemplate Utility 0280OS/390 Security Server RACF Planning Installation and forMigration RACF Planning Installation and Migrationfor RACFChapter 4. Planning Considerations Migration StrategyRACF Planning Installation and Migrationfor RACF 2.1, and Hardware RequirementsSoftware Requirements RACF Migration and Planning for RACFCompatibility Considerations for Remote Sharing CompatibilityRequirements Page Chapter 5. Installation Considerations Enabling RACFConsiderations Networksinstallation configuredare in your existing workspace data sets when you install multisystem RChapter 5. Installation Considerations29 mustprefix nodenamesysname local-luprefix.local-node.local-node .INMSG RACF Storage Considerations Virtual StorageThis section discusses storage considerations for RACF Figure 21 estimates RACF virtual storage usage, for planning purposesCustomer Additions to the CDT SubpoolTemplates for RACF on OS/390 Releaseinformation, OS/390see Security Server SystemChapter 6. Customization Considerations Exit Processingand IRRSXT00 Effects of OS/390 OpenEdition DCEIRRSXT00 Installation Exit RACROUTE REQUEST=DEFINE Preprocessing Exit ICHRDX01Chapter 7. Administration Considerations Server RACF Security Administrators. GuideCross-Linking Between RACF Users signonSignon to DCEUUIDS ClassActivating OS/390 OpenEdition DCE Application Considerations single signon restrictionsOpenEditionsee DCE Administration .Guidethe DCE Encryption Key Library Reference OpenEdition Planning, and inOS/390 OpenEdition Programming AssemblerThreads and Restrictions Changes to RACF Authorization Processingcallable servicepthread orsecuritynp Utility Rdceruid Callable ServiceEnhancements to the Chapter 7. Administration Considerations43 SYSMVIEWPage Chapter 8. Auditing Considerations SMF RecordsAuditors Guide and OS/390 Server RACF MacrosAuditing New OS/390 ServicesInterfaces Auditing OS/390 OpenEdition DCE Support Auditing SystemView for MVS SupportReport Writer SMF Data Unload UtilityPage Command OS/390 Security Server RACF Command Language Referencefor moreChapter 9. Operational Considerations Enabling and DisablingPage Chapter 10. Application Development Considerations 2000 SupportServers 01yydddFNew Application Services and Security pthread the securitynpService New Application AuthorizationChanges to the Class Descriptor Table Programming InterfacesŸ “Macros” on page Ÿ “Templates” on page Ÿ “Utilities” on page Ÿ “Routines” on pageChapter 11. General User ConsiderationsOpenEdition Reference forPage Chapter 12. NJE Considerations APAR OW14451OW08457 After Applying the PTFActions Required OW08457UACC NODESGROUP APAR OW15408FAILSAFE Page Chapter 13. Scenarios Migrating an ExistingNodes RRSFprefixTARGET NODEMIAMI2 SYSNAMESYSTEM2 LOCAL OPERATIVE On MIAMI2prefixTARGET NODEORLANDO DELETE prefixTARGET NODEMIAMI2 DELETEOn ORLANDO RACF DiagnosisDELETE prefixTARGET NODEORLANDO OPERATIVE PREFIX... PROTOCOL... WORKSPACE Note Theaccess Glossarydirection Page Seeinventory Seegeneral-use programmingprogramming Seelogical Seemultisystemlogical other.single-system supervisorytask segment andDFP Index A classes continuedcontinued Page SFSCMD SERVERKEYSMSTR utilitiescontinued Page Now you can! TheIBM Online Library Productivity IBM Edition OS/390 Security Server RACF Information Page Page Communicating Your Comments to IBM commentsReaders Comments - Wed Like to Hear from You OS/390 Security Server RACF Planning Installation and MigrationPublication No. GC28-1920-01 Note CopiesMAIL REPLYBUSINESS IBMPage Drop in Back Cover Image Here IBMGC28-192ð-ð1