Hot Topics - Messmer The Brain House
Hot Topics - Messmer The Brain House
Hot Topics - Messmer The Brain House
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
can determine why a user or group ID was<br />
revoked. And LISTGRP now displays the<br />
group’s creation date.<br />
Automatic switch to backup<br />
database when I/O error occurs<br />
<strong>The</strong>re’s an I/O error on your RACF<br />
database, and suddenly the console is<br />
flooded with error messages. <strong>The</strong> operator<br />
needs to do an RVARY SWITCH to<br />
activate the backup database, but it’s<br />
difficult to enter the command with all<br />
the messages coming in, and where in the<br />
heck did we put the RVARY password?<br />
It can take valuable time to find the<br />
password and enter the command. Now<br />
you don’t need to. Beginning with z/OS<br />
V1R7, RACF will automatically switch to<br />
the active backup database when an I/O<br />
error is detected on the primary RACF<br />
database and the UCB indicates that the<br />
device is varied offline! And nobody needs<br />
to enter a password.<br />
Auditing getpsent<br />
Tired of getting huge quantities of SMF<br />
type 80 records for getpsent when you’ve<br />
set the auditing option for the PROCACT<br />
class to FAILURES? Failures are normal for<br />
getpsent, so we’ve changed the way RACF<br />
audits it. Now it’s audited only when you<br />
specify ALWAYS as the auditing option.<br />
PassTicket enhancements<br />
We’ve added a callable service interface that<br />
supports problem state callers for PassTicket<br />
generation and evaluation services. With<br />
the r_ticketserv interface, you can now<br />
use PassTicket functions for 31-bit callers.<br />
<strong>The</strong> r_gensec callable service now supports<br />
64-bit callers. And we’ve added a new Java<br />
interface, using a Java Native Interface<br />
(JNI), which calls the updated r_ticketserv<br />
and r_gensec callable services, allowing<br />
Java code to easily access PassTicket<br />
services running on z/OS. <strong>The</strong>se changes<br />
should make it easier to use PassTicket.<br />
Nested ACEEs and delegated<br />
resources<br />
A daemon is a highly privileged UNIX ®<br />
program that processes requests on<br />
behalf of clients. <strong>The</strong> daemon creates a<br />
new address space in which the security<br />
environment is that of the client. Once the<br />
new address space has been created, there<br />
is no longer a relationship between the<br />
daemon and the client. That means that<br />
the client needs to have authorization to all<br />
resources that the daemon uses.<br />
Enter the nested ACEE, new in z/OS<br />
V1R7. An access control environment<br />
element (ACEE) is a control block that<br />
describes the user’s security environment.<br />
A nested ACEE associates a client identity<br />
with the daemon that spawned it by<br />
“nesting” the daemon identity within<br />
Haikus in honor of the mainframe<br />
the security environment created for the<br />
client. When a nested ACEE is used in an<br />
authorization check, if the client check fails,<br />
RACF checks the daemon’s authorization.<br />
Applications can create nested ACEEs<br />
using a new keyword NESTED on the<br />
RACROUTE REQUEST=VERIFY,<br />
ENVIR=CREATE macro. By using nested<br />
ACEEs, applications can remove the need<br />
to permit large numbers of users to highly<br />
sensitive RACF-protected resources.<br />
Unconditionally honoring a nested ACEE<br />
might inappropriately grant client access to<br />
an unintended resource. <strong>The</strong>refore, only<br />
certain resources honor nested ACEEs in<br />
authorization checks. <strong>The</strong>se resources are<br />
referred to as delegated resources. <strong>The</strong><br />
security administrator designates a resource<br />
as delegated by placing the string “RACF-<br />
DELEGATED” in the APPLDATA field of<br />
the RACF profile protecting the resource.<br />
Important note: Security administrators<br />
should only create delegated resources<br />
if directed to do so by application<br />
documentation. An application must be<br />
specifically coded to exploit nested ACEE,<br />
and the application should document<br />
the names of the resources that must<br />
be delegated in order to ensure proper<br />
functioning of that application.<br />
As part of the IBM Academic Initiative’s recent Mainframe Challenge, college students were asked to submit haikus<br />
(short, three-line poems) on the topic of mainframe computers. Throughout this issue, we’re pleased to feature a few of our favorites.<br />
Enjoy – and let us know how you like them!<br />
confound me<br />
About them I am learning<br />
newsletr@us.ibm.comMainframes<br />
with great interest.<br />
<strong>The</strong> Editors<br />
Andrew Galla,<br />
California University of Pennsylvania<br />
February 2006 z/OS HOT TOPICS Newsletter, Issue 14 9