IBM 890 manual RACF enhancements, Multilevel Security

Once a user is authenticated, RACF and the resource managers control the interaction between that user and the objects it tries to gain access to. These objects include: commands, datasets, programs, tape volumes, terminals and objects that you defi ne. RACF supports fl ex- ibility in auditing access attempts and changes to security controls. To audit security-relevant events, you can use the RACF system management unload utility and a variety of reporting tools.

With one command, a security administrator can update remote RACF databases without logging on to remote sys- tems. Throughout the enterprise, RACF commands can be sent automatically to synchronize multiple databases. In addition, RACF can automatically propagate RACF data- base updates made by applications. With RACF, users can keep passwords synchronized for specifi c user IDs. When you change one password, RACF can change passwords for your user ID on different systems and for several user IDs on the same system. Also, passwords can be changed automatically for the same user ID on different systems. This way, several RACF databases can be kept synchro- nized with the same password information.

RACF enhancements:

•Digital Certifi cates can be automatically authenticated without administrator action

•Administrative enhancements enable defi nition of pro- fi les granting partial authority. Handling of new pass- words and removal of class authority are simplifi ed.

•On demand applications require a way to associate more users under a RACF Group defi nition, so RACF allows the creation of a new kind of Group that can con- tain an unlimited number of users

•RACF now allows you to perform RACF installation class updates without an IPL, which can help improve availability

•RACF facilitates enterprise password synchronization through RACF password enveloping and notifi cation of password changes using z/OS LDAP

•Improved user accountability through RACF’s enforce- ment of unique z/OS UNIX UIDs and GIDs

•Improved access control fl exibility and granularity for z/OS UNIX fi les with access control lists

•Multilevel security support

Multilevel Security

z/OS 1.5 is the fi rst and only IBM operating system to pro- vide multilevel security. This technology can help improve the way government agencies and other organizations share critical classifi ed information. Combined with IBM’s DB2 UDB for z/OS Version 8, z/OS provides multilevel security on the zSeries mainframe to help meet the strin- gent security requirements of government agencies and

financial institutions, and can help open up new hosting opportunities. Multilevel security technology allows IT administrators to give users access to information based on their need to know, or clearance level. It is designed to pre- vent individuals from accessing unauthorized information and to prevent individuals from declassifying information.

With multilevel security support in IBM’s z/OS 1.5 and DB2 V8, customers can enable a single repository of data to be managed at the row level and accessed by individuals based on their need to know.

SSL

Secure Socket Layer (SSL) is a public key cryptography- based extension to TCP/IP networking which helps to enable private communications between parties on the Internet. z/OS provides fast and highly secure SSL sup- port, with increased performance when coupled with zSeries server cryptographic capabilities.