Chapter 6. Customization Considerations
This chapter identifies customization considerations for OS/390 Release 4 Security
Server (RACF).
For additional information, see

OS/390 Security Server (RACF) System

Programmer's Guide

.

Customer Additions to the Router Table and the CDT

Installations must verify that classes they have added to the router table and class
descriptor table (CDT) do not conflict with new classes shipped with RACF. If
duplicate table entries are detected, the following error messages are issued at IPL
time:
For a duplicate router table entry, RACF issues this message and continues
processing: ICH527I RACF DETECTED AN ERROR IN THE INSTALLATION ROUTER
TABLE, ENTRY class_name, ERROR CODE 1.
For a duplicate CDT entry, RACF issues this message and enters failsoft mode:
ICH564A RACF DETECTED AN ERROR IN THE INSTALLATION CLASS DESCRIPTOR
TABLE, ENTRY class_name, ERROR CODE 7.
If a conflict in class names occurs, you must delete the profiles in the
installation-defined class with the conflicting name, delete the CDT entry for the
class, add a CDT entry with a different name, and redefine the profiles.
Do not assemble the user-defined CDT (ICHRRCDE) on OS/390 Release 4 and
attempt to use it on a system running RACF at a lower level than RACF Version 2
Release 2.

RACF/DB2 External Security Module Customization

If you have both this release of RACF and Version 5 of DB2, you can use RACF to
protect DB2 objects. Migrating to this can be done one object at a time. For
example, all DB2 tables can be protected by RACF while other DB2 objects are not
RACF-protected. If an object is not protected by RACF, the RACF/DB2 external
security module defers to DB2 for authority checking.
The following is an overview of the steps involved in customizing RACF/DB2
external security module. For details, see

OS/390 Security Server (RACF) System

Programmer's Guide

and

OS/390 Security Server (RACF) Security Administrator's

Guide

Concerned staff members, such as the security administrator, system
programmer, DB2 system programmer, and database administrator, need to
decide whether to use the RACF/DB2 external security module.
Staff members need to decide which of the options (such as class and profile
name options) offered by the RACF/DB2 external security module they plan to
use. This can be as simple as using the defaults, which is recommended. If the
defaults are used, no new classes are needed.
Copyright IBM Corp. 1994, 1997 29