Thee following is the procedure for installing the CA Disk RACF Security Interface. Steps 1 through 4 are required only for users who have discrete RACF profiles at their shop. Due to RACF's continuing support of discrete profiles, we recommend that all users follow each step.
To install the CA Disk RACF Security Interface
Prepare for CA Disk-saved discrete profiles to be kept in IBM RACF data set. This step is optional but review it for possible applicability.
CA Disk-saved discrete profiles are created and maintained through standard RACF macros (see the section Security Processing in the Systems Guide). RACF places the new profiles in the RACF data set selected by the user. While most users elect to keep all data set profiles in a single RACF data set, it can be useful (for example, to improve RACF performance by reducing contention between CA Disk RACF and other RACF requests) to separate CA Disk profiles from standard RACF data set profiles. This can be done by using the CA Disk saved discrete profile data set name prefix as an identifier to CA Disk profiles (see the next step). Then specify the CA Disk prefix in the RACF RANGE TABLE (ICHRRNG) to indicate to RACF where to place CA Disk profiles.
Provide a prefix (first qualifier) for the data set name of CA Disk saved discrete profiles by specifying sysparm RACFUSID with a 1- to 8-byte name. This prefix identifies the CA Disk profiles and allows them to be placed on a RACF data set apart from the standard RACF data set. It is a RACF restriction that this RACFUSID value represents a user ID or group ID. We recommend using a user ID, not a group ID, for the value for this sysparm. It is meaningful to you in identifying CA Disk profiles. We recommend using DMSOS.
To avoid having RACF RACDEF processing update the PERMIT list, ensure that the user ID does not have the GRPACC attribute.
This RACF user ID is able to restore any data set for which CA Disk has saved a discrete profile. To prevent this exposure of unauthorized use of this RACF user ID, it can be revoked using the TSO command:
ALTUSER racfusid REVOKE
Revoking the RACF user ID in this manner does not prevent its use for CA Disk discrete profile support.
Provide a volume name to be associated with CA Disk-saved discrete profiles by specifying sysparm RACFDVOL with a character volume serial number. Due to RACF restrictions, this volume must be a real DASD volume. Once specified, it must not change. Therefore, select a volume that is always online.
Review the description of the utility documented in the section Management of CA Disk-Saved Profiles in the Systems Guide. You do not need to use the utility at CA Disk installation time, but be aware of the utility's existence. After the CA Disk RACF Security Interface has been implemented, the utility can be run periodically, prior to running the CA Disk IXMAINT function. See the IXMAINT Utility section in the User Guide.
Activate the CA Disk RACF Security Interface by specifying sysparm RACFSUPP and RACFPROC with a value of Y in the SYSPARMS member of the parmlib data set.
Review access to data set names VTOC.volser and DMSOS.Vvolser. If you use the SELECT VTOCS DSCL statement, CA Disk backs up the VTOC of each volume processed, tracking this information by the esoteric data set name VTOC.volser, where volser is the volume on which the VTOC resides.
If you create volume-level backups with the VBACKUP command, CA Disk backs up each volume, tracking this information by the esoteric data set name DMSOS.Vvolser, where volser is the volume being backed up.
BACKUP, VBACKUP, and IXMAINT functions each query any CA Disk Security Interfaces for authority to process these names.
If you plan to use the SELECT VTOCS DSCL statement, or the VBACKUP command, make sure that BACKUP, VBACKUP, and IXMAINT functions can each access this fictitious data set name.
Examine the following special consideration for implementation.
Under most versions of IBM's operating systems, OPEN, SCRATCH and RENAME processing queries RACF for authorization regardless of the setting of the RACF-indicator bit. This feature is called always call. Data sets cataloged in ICF catalogs also cause a query of RACF for authorization, regardless of the setting of the RACF-indicator bit.
Under some operating systems, data sets not cataloged in ICF catalogs will query RACF only if the RACF-indicator bit is on. For non-VSAM data sets, the RACF-indicator bit is the DS1IND40 bit (bit x'40' at offset 93 x'5D') located in the data set's format-1 DSCB.
CA Disk security processing normally queries RACF for authorization, regardless of the setting of the RACF- indicator bit. If you do not have the always call feature of the operating system and you do not use ICF catalogs, specify sysparm RACFALWZ with a value of N in the SYSPARMS member of the parmlib data set.
See the following sysparm descriptions for possible use in your installation. For more information, see the Systems Guide.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|