IBM GC28-1920-01 manual Changes to RACF Authorization Processing, Restrictions

Page 65
Changes to RACF Authorization Processing

Changes to RACF Authorization Processing

Extensions have been introduced to RACF's processing of authorization r which boththe RACF identity of andthe thserverRACF identity of a client of server application are used in a resource access decision.

RACF support for OpenEdition DCE introduces new indicators in the ACEE. Th indicators mark the ACEE clientas a ACEE. Client ACEEs are created by OS/390 OpenEdition and RACF on behalf of multithreaded unauthorized application on OS/390.

Client ACEEs can

only be created through the OS/390 OpenEdition

pthread_security_np

callable servicepthread orsecurity_np()

C language

function call.

 

 

There are two types of client ACEEs:

ŸUnauthenticated client ACEE

When an

unauthenticated client

ACEE

is

used

in

an

access

control

de

two

authorization

checks

occur.

 

 

 

 

 

 

 

 

 

The

first check uses the client

ACEE. This

is

the ACEE

that

is

a

 

with the current task. If the request is successful, the sec

 

performed.

 

 

 

 

 

 

 

 

 

 

 

 

 

The

second check

uses

the

ACEE

associated

with

the

server. This

 

same

ACEE that

is

associated

with

the

application

server's

addre

The automatic checking of both the client's identity and the serv performed for RACF resources defined to RACF via profiles and for OpenEdition resources, such as hierarchical file system files (HFS), access is governed by POSIX permission bits.

ŸAuthenticated client ACEE

When an authenticated client ACEE is used in an access control dec this ACEE is used in the access control decision. Audit records co additional relocate section, indicating that this authorization requ processed using an ACEE which was created on behalf of an unautho application.

An authenticated client ACEE is created when the client of the se application has supplied its RACF password (or RACF PassTicket) to th

application server.

The

application

server specifies

the client's RA

(or RACF

PassTicket)

on

pthreadthe _security_np

OS/390

OpenEdition

callable

service or

on

the pthreadC languagesecurity_np()

function

call.

Restrictions

The

security

administrator

must

be

aware

of the restrictions of the

ACEE

support,

in which both

the

application

server's RACF identity and

RACF

identity

are used in

resolving

access

decisions.

ŸRACROUTE REQUEST=FASTAUTH processing has not been enhanced to automatically check both the server and client RACF identities.

Ideally, application servers on OS/390 do not have to run APF-authori supervisor state or in a system storage protection key. Unauthoriz application servers on OS/390 are therefore unable to use the RACR REQUEST=LIST instruction to build in-storage profiles for RACF-defined

Chapter 7. Administration Considerations41

Page 64 Page 66
Image 65
Page 64 Page 66
Contents Place graphic in this area. Outline is keyline only. DO NOT PRINT Security Server RACF Planning Installation and MigrationOS/390 Page OS/390 1996. All Second Edition, SeptemberPage Page Migration ContentsAuditing Considerations Administration ConsiderationsCustomization Considerations Index Operational ConsiderationsChapter 10. ApplicationPage Figures Page Notices Trademarks About This Book How to Use ThisWho Should Use This Book xiiiSoftcopy Publications Where to Find More InformationŸ The OS/390 Security Server RACF Information , PackageSK2T-2180 ServerElements of Security RACF Installation - Student GG24-3971Notes Administration, H3927Using the Ÿ Tutorial Options for Tuning GG22RACFIBM Discussion Areas Other Sources of InformationInternet Sources listserv@uga.cc.uga.eduTo Request Copies of PublicationsFeatures OS/390xviii Product ServiceŸ OpenEditionOSA/SF V2R5TSO/EPage Summary of Changes Page Migration Migration Planning ConsiderationsChapter 1. Planning Customization Considerations Installation ConsiderationsAdministration Considerations Operational Considerations Auditing ConsiderationsApplication Development Considerations General User ConsiderationsPage New and Enhanced Support Chapter 2. Release Overviewidentifies OS/390 OpenEdition DCEfunction introduced in OS/390 ReleaseCheck ConceptsAuditing the Passing of Access Rights Authorizing and Auditing Server Access to the CCS and WLM ServicesOS/390 OpenEdition SOMobjects for MVSRRSF Network Multisystem Nodesnon-main systemsTARGET OS/390 Enable and Disable FunctionsYear 1.10 NetViewclasses Facilityupdated for Function Not Upgradedidentifies function thatRelease Components for3. Summary of Class Descriptor Table CDTlists classes Commandswhich thereChapter 3. Summary of Changes to RACF Components for OS/390 15Release CommandExits Data Areaslists changed general-use programming interface GUPI data areMessages MacrosFigure 12 lists changes RACF macrosChanged Messages New MessagesMessages RACF Database Split/Merge Utility IRRUT400Publications Library PanelsRoutines Figure 13 lists RACF panels that areTemplates SYS1.SAMPLIBFigure 16 identifies changes to RACF members of SYS1.SAMPLIB RACROUTE REQUEST=EXTRACTTemplate UtilitiesFigure 18 lists changes to RACF utilities for OS/390 Release 0280 UtilityRACF Planning Installation and Migrationfor RACF OS/390 Security Server RACF Planning Installation and forMigrationChapter 4. Planning Considerations Migration StrategyHardware Requirements RACF Planning Installation and Migrationfor RACF 2.1, andSoftware Requirements RACF Migration and Planning for RACFRequirements CompatibilityCompatibility Considerations for Remote Sharing Page Enabling RACF Chapter 5. Installation ConsiderationsConsiderations Networksconfigured installationare in your existing workspace data sets when you install multisystem Rmust Chapter 5. Installation Considerations29nodename prefixsysname local-luprefix.local-node.local-node .INMSG Virtual Storage RACF Storage ConsiderationsThis section discusses storage considerations for RACF Figure 21 estimates RACF virtual storage usage, for planning purposesSubpool Customer Additions to the CDTOS/390 Release Templates for RACF oninformation, OS/390see Security Server SystemExit Processing Chapter 6. Customization Considerationsand IRRSXT00 Effects of OS/390 OpenEdition DCERACROUTE REQUEST=DEFINE Preprocessing Exit ICHRDX01 IRRSXT00 Installation ExitServer RACF Security Administrators. Guide Chapter 7. Administration ConsiderationsCross-Linking Between RACF Users signonActivating DCEUUIDS ClassSignon to the DCE Encryption Key single signon restrictionsOpenEditionsee DCE Administration .GuideOS/390 OpenEdition DCE Application Considerations Threads and OpenEdition Planning, and inOS/390 OpenEdition Programming AssemblerLibrary Reference callable servicepthread orsecuritynp Changes to RACF Authorization ProcessingRestrictions Enhancements to the Rdceruid Callable ServiceUtility SYSMVIEW Chapter 7. Administration Considerations43Page SMF Records Chapter 8. Auditing ConsiderationsAuditors Guide and OS/390 Server RACF MacrosInterfaces ServicesAuditing New OS/390 Auditing SystemView for MVS Support Auditing OS/390 OpenEdition DCE SupportReport Writer SMF Data Unload UtilityPage OS/390 Security Server RACF Command Language Referencefor more CommandChapter 9. Operational Considerations Enabling and DisablingPage 2000 Support Chapter 10. Application Development ConsiderationsServers 01yydddFpthread the securitynp New Application Services and SecurityNew Application Authorization ServiceChanges to the Class Descriptor Table Programming InterfacesŸ “Routines” on page Ÿ “Macros” on page Ÿ “Templates” on page Ÿ “Utilities” on pageConsiderations Chapter 11. General UserOpenEdition Reference forPage APAR OW14451 Chapter 12. NJE ConsiderationsOW08457 After Applying the PTFOW08457 Actions RequiredUACC NODESFAILSAFE APAR OW15408GROUP Page Migrating an Existing Chapter 13. ScenariosNodes RRSFOn MIAMI2 prefixTARGET NODEMIAMI2 SYSNAMESYSTEM2 LOCAL OPERATIVEprefixTARGET NODEORLANDO DELETE prefixTARGET NODEMIAMI2 DELETEDELETE RACF DiagnosisOn ORLANDO Note The prefixTARGET NODEORLANDO OPERATIVE PREFIX... PROTOCOL... WORKSPACEdirection Glossaryaccess Page programming Seegeneral-use programmingSeeinventory Seemultisystem Seelogicallogical supervisory other.single-systemtask segment andDFP classes continued Index Acontinued Page KEYSMSTR SERVERSFSCMD utilitiescontinued Page Edition OS/390 Security Server RACF Information IBM Now you can! TheIBM Online Library Productivity Page Page comments Communicating Your Comments to IBMOS/390 Security Server RACF Planning Installation and Migration Readers Comments - Wed Like to Hear from YouPublication No. GC28-1920-01 Note CopiesREPLY MAILBUSINESS IBMPage GC28-192ð-ð1 IBMDrop in Back Cover Image Here
Top Page Image Contents