IBM Resource Access Control Facility Security Server for IBM z/VM
The IBM Resource Access Control Facility (RACF) Security Server 710 for z/VM 7.1.0, builds on the function that is provided by previous releases. Significant System Programming Enhancements (SPEs) were made since September 2015 to increase the capability and security of RACF.
This chapter describes the processes of installing, configuring, managing, monitoring, auditing, and controlling of RACF resources. This chapter follows the concepts that are presented in Secure Configuration Guide for z/VM, SC24-6323.
 
Note: Secure Configuration Guide for z/VM, SC24-6323, describes installing and customizing z/VM and RACF in a way that meets requirements for certification for the Common Criteria Operating System Protection Profile (OSPP). This chapter does not describe all of the steps that are involved in setting up the certified configuration. However, important basic steps are outlined in Secure Configuration Guide for z/VM, SC24-6323 that are important for a normal RACF installation.
A Directory Manager is recommended for a Single System Image (SSI) environment to maintain synchronization between object directories. Although the Common Criteria evaluation does not make any claims about z/VM, security administrators should determine what Directory Manager best fits their security policies and act accordingly.
This chapter assumes the use of the IBM z/VM Directory Manager (DirMaint) product for managing the user directory of the system, with RACF and DirMaint configured to work together. Unlike other operating systems, z/VM separates the processes of user definition and security administration.
 
You must first define the virtual machine (VM) in the user directory, which provides basic resource control configuration. If you are using an external security manager (ESM), you must also add users and define user resources profile to the ESM database.
For more information about DirMaint installation and its use, see Appendix A, “DirMaint implementation” in Security on z/VM, SG24-7471, and in IBM Virtualization Cookbook z/VM 6.3, SG24-8147.
For more information about the DirMaint-RACF Connector, see this website.
This chapter includes the following topics:
4.1 RACF z/VM concepts
This section describes some concepts about RACF to protect the security of a z/VM installation.
4.1.1 External security manager
An external security manager (ESM) is software that provides enhanced security access control over the functions that are provided by the operating system. As with z/OS®, z/VM implements the ESM concept so that you can choose and configure a security manager that fits your organization needs. RACF Security Server for z/VM is the IBM ESM for the z/VM platform.
The ESM receives requests from resource managers on the system (CP, Shared File System, TCP/IP, FTP, and so on) on behalf of userids (VMs) that must access resources. When the resource manager is enabled for an ESM, it calls the ESM to check whether the z/VM userid (VM) has the proper authorization to access the resource.
The ESM performs several operations to determine what happens next. It first checks to see whether it is set up to be responsible for the type of resources being requested (for example, minidisks or virtual switches). If the ESM is responsible, it checks whether the z/VM userid (VM) has direct access to the resource, or is a member of a group that has access to the resource. If the z/VM userid (VM) or a group of which that userid is a member has the authority, access is granted to the resource.
The ESM can also be configured to control what occurs when the ESM is not responsible for the type of resources being requested, or an explicit resource definition is not available to control access to the particular resource being requested. The ESM can be configured to deny access to the resource in that situation.
Alternatively, the ESM can defer authorization to z/VM CP component, which means that the resource manager then must use the traditional access methods (for example, passwords that are configured in the user directory in the case of minidisks) to control access to the resource.
 
Note: The default action that is taken by RACF is to defer to CP. For more information about this action and how to change this default action, see 4.2.5, “Using HCPRWAC” on page 85.
The z/VM resource managers interface with the ESM by using the RPI interface.
4.1.2 Security policy
An ESM must be configured to support its role in maintaining system security and integrity. In the case of RACF, this configuration occurs in the following areas:
RACF options
Classes
User definitions
Resource definitions (profiles)
Access control lists (ACLs)
Audit settings
The combination of these configuration settings must follow your organization’s security policy. The policy is agreed to across operational and business areas in your organization, and covers issues, such as the following examples:
The default levels of access that should exist for different types of resources.
Whether access to resources is managed by grouping them or by maintaining separate ACLs for each resource.
What level of tracking of access requests occur (for example, auditing all access requests or just failures).
The roles and responsibilities of administrators and users in the organization, including the separation of duties between those roles.
The security policy is implemented by using the configurations and settings in RACF.
 
Note: For more information about how to start implementing a security policy by using RACF, see Chapter 2, “Organizing for RACF Implementation” of RACF Security Server Security Administrator’s Guide, SC24-6311.
The “default” security policy
The process that is described in this chapter is based on the steps that are outlined in Program Directory for RACF Security Server for z/VM, GI13-4358. In this process, you use a utility that is supplied with RACF to create an initial database of RACF profiles and ACLs that are based on your system’s current CP directory. In effect, this process implements a “default” security policy. Likewise, the functions of other system components, such as the DirMaint-RACF connector.
The policy that is inferred by using the basic RACF utilities is sufficient for most installations. After all, it is based on the policy as implemented by the CP directory, and most installations do not change the definitions that are contained there. The following basic rules are inherent in this policy:
All resources include profiles that protect that resource specifically (known as discrete profiles).
The owner of a resource has full authority over that resource, including the authority to grant other users access to it.
Administration roles (auditor and security administrator) are separated.
Some highly sensitive organizations, or those installations with experienced security administration staff, might want to adjust the output that is generated by the utilities so that they better reflect the specific needs of the organization.
Optimizing administration
Another aspect of the “default” operation of RACF functions and utilities is that the number of resource profiles and ACLs is not optimized. With every resource having a discrete profile, the number of profiles in the database can grow, and it can become more complex to manage many resources. For more information about a more streamlined way to manage resource protection, see 4.3.4, “Securing your minidisks with RACF” on page 97.
If you use only the RACF utilities and tools for management, such as the DirMaint-RACF connector, this issue is insignificant here. Although the number of profiles in RACF might become large, the utilities keep them up to date.
 
If you choose to optimize your RACF operation and use techniques, such as generic profiles and group-based access control, be aware that you might have to do some work to implement your own system to manage your altered policy. For example, you might not use the DirMaint-RACF connector to manage minidisk profiles (the VMMDISK class) if you use group membership to authorize minidisk access.
4.2 Activating and configuring RACF
RACF for z/VM is included with the z/VM 7.1.0 system deliverable and managed by using Virtual Machine Serviceability Enhancement Staged/Extended (VMSES/E). RACF for z/VM is a priced product that is supplied in a disabled state. It must be enabled and configured by the system programmer before you use it.
The Program Directory for the product describes the installation process and can be downloaded from this website.
 
Note: Make sure that your installation includes a license for RACF before you activate it.
For more information about the step-by-step process to enable and configure the product, see Program Directory for RACF Security Server for z/VM, GI13-4358.
This process includes the following main steps:
1. Set RACF to the ENABLED state by using the VMSES/E tools.
2. Perform post activation steps, as described in 4.2.1, “Post-activation tasks” on page 59.
3. Build the RACF enabled CPLOAD MODULE, as described in 4.2.2, “Building the RACF enabled CPLOAD MODULE” on page 77.
4. Update the RACF database and options, as described in 4.2.3, “Updating the RACF database and options” on page 80.
5. Place RACF into production, as described in 4.2.4, “Placing RACF into production” on page 84.
6. Update the authorization process, as described in 4.2.5, “Using HCPRWAC” on page 85.
Print the procedural checklist from the RACF Security Server for z/VM Program Directory so that you do not miss any important steps in the process.
This chapter assumes that the reader has basic z/VM system programming knowledge. Experience with VMSES/E and its processes is helpful, but not essential.
4.2.1 Post-activation tasks
This section describes the following tasks that you must perform after you activated the RACF code. These tasks reflect preferred practices that were tested in the ITSO test environment:
Updating the RACF user ID directory entry
Allocating the RACF DASD
The default definitions of the minidisks that are used to hold the primary and backup RACF database are not recommended for production use. By default, both minidisks are defined on the same volume, which means the database might be lost if that volume is lost. Also, if you enabled the z/VM SSI feature, you are required to have the RACF database on full-pack minidisks rather than the default minidisks.
If you are not using SSI, move the RACFVM 300 disk to a different volume on your system. This process ensures that if the volume that is holding the 200 disk is damaged, you do not lose all the RACF data. Then, you can proceed with “Defining RACF user IDs” on page 66.
If you are using SSI, follow the directions in the following sections (from the “Sharing RACF Databases in a z/VM Single System Image Cluster” section of z/VM: RACF Security Server System Programmer’s Guide, SC24-6312) to define both RACF database minidisks as full-pack minidisks:
Moving the RACFVM 200 and 300 minidisks
Remove the minidisk definitions. Example 4-1 shows the use of the DIRM CHVADDR command to move the definitions to a different device address.
 
Note: In this example, we decided not to delete these minidisks, but rather to move them to a different address so that we can use them as the source for copying the supplied initialized primary and backup databases later in the process. This action also provides a number of disks across the system that can be used as destinations for backing up the databases. Backing up the RACF database is described in 4.3.7, “Backing up the RACF database” on page 103.
Example 4-1 Moving the minidisk definitions
dirm for racfvm-1 chvaddr 200 to f200
DVHXMT1191I Your CHVADDR request has been sent for processing to
DVHXMT1191I DIRMAINT at ITSOZVM1.
Ready; T=0.01/0.01 16:57:43
DVHREQ2288I Your CHVADDR request for RACFVM-1 at * has been accepted.
DVHBIU3450I The source for directory entry RACFVM-1 has been updated.
DVHBIU3424I The next ONLINE will take place immediately.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHBIU3428I Changes made to directory entry RACFVM-1 have been placed
DVHBIU3428I online.
DVHREQ2289I Your CHVADDR request for RACFVM-1 at * has completed; with
DVHREQ2289I RC = 0.
dirm for racfvm-1 chvaddr 300 to f300
DVHXMT1191I Your CHVADDR request has been sent for processing to
DVHXMT1191I DIRMAINT at ITSOZVM1.
Ready; T=0.01/0.01 16:57:52
DVHREQ2288I Your CHVADDR request for RACFVM-1 at * has been accepted.
DVHBIU3450I The source for directory entry RACFVM-1 has been updated.
DVHBIU3424I The next ONLINE will take place immediately.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHBIU3428I Changes made to directory entry RACFVM-1 have been placed
DVHBIU3428I online.
DVHREQ2289I Your CHVADDR request for RACFVM-1 at * has completed; with
DVHREQ2289I RC = 0.
Example 4-1 on page 60 shows the first member of the SSI cluster. We repeated the commands for each of the other members of the cluster (IDs RACFVM-2, RACFVM-3, and RACFVM-4).
Creating definitions for RACFVM 200 and 300 disks as full-pack minidisks
Next, add the new full pack minidisk definitions to the RACFVM user. In this example, we obtain two 3390 volumes that we can use as RACF database volumes and add them to the RACFVM user. In this example, we add the disks to the directory IDENTITY entry for RACFVM, which is recommended when all members of the SSI cluster see the disks at the same device address.
 
 
 
 
 
Note: If your configuration does not have symmetric device addressing (that is, the RACF database disks do not have the same device address across all members of the SSI cluster), you must add the disks to each SUBCONFIG entry by using the appropriate device addresses.
Example 4-2 shows how we achieved this task by using the DIRM AMDISK command in DirMaint.
Example 4-2 Add disk devices to RACFVM
dirm for racfvm amdisk 200 3390 devno 3b07 mwv pws read write multiple
DVHXMT1191I Your AMDISK request has been sent for processing to DIRMAINT
DVHXMT1191I at ITSOZVM1.
Ready; T=0.01/0.01 16:40:19
DVHREQ2288I Your AMDISK request for RACFVM at * has been accepted.
DVHSCU3541I Work unit 10164020 has been built and queued for processing.
DVHSHN3541I Processing work unit 10164020 as VIC from ITSOZVM1,
DVHSHN3541I notifying VIC at ITSOZVM1, request 11 for RACFVM SSI node *;
DVHSHN3541I to: AMDISK 0200 3390 DEVNO 3B07 MWV PWS XXXX XXXXX XXXXXXXX
DVHBIU3450I The source for directory entry RACFVM has been updated.
DVHBIU3424I The next ONLINE will take place immediately.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHBIU3428I Changes made to directory entry RACFVM have been placed
DVHBIU3428I online.
DVHSHN3430I AMDISK operation for RACFVM address 0200 has finished
DVHSHN3430I (WUCF 10164020).
DVHREQ2289I Your AMDISK request for RACFVM at * has completed; with RC =
DVHREQ2289I 0.
dirm for racfvm amdisk 300 3390 devno 3c07 mwv pws read write multiple
DVHXMT1191I Your AMDISK request has been sent for processing to DIRMAINT
DVHXMT1191I at ITSOZVM1.
Ready; T=0.01/0.01 16:44:41
DVHREQ2288I Your AMDISK request for RACFVM at * has been accepted.
DVHSCU3541I Work unit 10164442 has been built and queued for processing.
DVHSHN3541I Processing work unit 10164442 as VIC from ITSOZVM1,
DVHSHN3541I notifying VIC at ITSOZVM1, request 12 for RACFVM SSI node *;
DVHSHN3541I to: AMDISK 0300 3390 DEVNO 3C07 MWV PWS XXXX XXXXX XXXXXXXX
DVHBIU3450I The source for directory entry RACFVM has been updated.
DVHBIU3424I The next ONLINE will take place immediately.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHBIU3428I Changes made to directory entry RACFVM have been placed
DVHBIU3428I online.
DVHSHN3430I AMDISK operation for RACFVM address 0300 has finished
DVHSHN3430I (WUCF 10164442).
DVHREQ2289I Your AMDISK request for RACFVM at * has completed; with RC =
DVHREQ2289I 0.
DVHREQ2288I Your LINK request for RACMNT-1 at * has been accepted.
DVHBIU3450I The source for directory entry RACMNT-1 has been updated.
DVHBIU3426I Object directory updates are currently disabled.
DVHREQ2289I Your LINK request for RACMNT-1 at * has completed; with RC =
DVHREQ2289I 0.
. . .
< above output repeats for RACMNT-2, RACMNT-3, and RACMNT-4 >
. . .
 DVHREQ2288I Your ONLINE request for VIC at * has been accepted.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHRLA3891I Your DSATCTL request has been relayed for processing.
DVHREQ2289I Your ONLINE request for VIC at * has completed; with RC = 0.
 
Note: If you use IBM Geographically Dispersed Parallel Sysplex (GDPS), you cannot use the DEVNO parameter on MDISK statements. Instead, you must follow the instructions that are contained in the Program Directory for defining the RACFVM 200 and 300 disks.
The RACMAINT user links to RACFVM 200 and 300 disks. To make sure that RACMAINT has correct access to the disks, these LINK definitions must be updated. In this example, we made these updates by creating a DirMaint batch file, as shown in Figure 4-1 on page 63.
Figure 4-1 RACMLINK DIRMBAT for batch update of RACMAINT links
Running the RACMLINK DIRMBAT file by using the DIRM BATCH RACMLINK DIRMBAT command that produced the output that is shown in Example 4-3.
Example 4-3 Update the RACMAINT links to RACF database disks
dirm batch racmlink dirmbat
PUN FILE 0077 SENT TO DIRMAINT RDR AS 4617 RECS 0026 CPY 001 0 NOHOLD NOKEEP
DVHXMT1191I Your BATCH request has been sent for processing to
DVHXMT1191I DIRMAINT at ITSOZVM1.
Ready; T=0.01/0.01 13:40:17
DVHREQ2288I Your BATCH request for VIC at * has been accepted.
DVHREQ2289I Your BATCH request for VIC at * has completed; with RC = 0.
DVHREQ2288I Your OFFLINE request for VIC at * has been accepted.
DVHREQ2289I Your OFFLINE request for VIC at * has completed; with RC =
DVHREQ2289I 0.
DVHREQ2288I Your LINK request for RACMNT-1 at * has been accepted.
DVHBIU3450I The source for directory entry RACMNT-1 has been updated.
DVHBIU3426I Object directory updates are currently disabled.
DVHREQ2289I Your LINK request for RACMNT-1 at * has completed; with RC =
DVHREQ2289I 0.
DVHREQ2288I Your LINK request for RACMNT-1 at * has been accepted.
DVHBIU3450I The source for directory entry RACMNT-1 has been updated.
DVHBIU3426I Object directory updates are currently disabled.
DVHREQ2289I Your LINK request for RACMNT-1 at * has completed; with RC =
DVHREQ2289I 0.
DVHREQ2288I Your LINK request for RACMNT-1 at * has been accepted.
DVHBIU3450I The source for directory entry RACMNT-1 has been updated.
DVHBIU3426I Object directory updates are currently disabled.
 
Note: The batch file is not the only way to complete this task. You can issue each of the commands in the batch file separately, or you can use DIRM GET command to retrieve each of the RACMAINT SUBCONFIG entries, edit the files directly, and use the DIRM REPLACE command to update them.
To verify that the directory update is correct, run DIRM REVIEW for RACFVM. The output is shown in Example 4-4 (for clarity, only the statements belonging to the first member of the SSI cluster are shown).
Example 4-4 DIRM REVIEW for RACFVM after minidisk updates
* * * Top of File * * *
IDENTITY RACFVM XXXXXXXX 20M 20M ABCDEGH
DVHRXV3366I The following configurations will be used on SSI nodes.
DVHRXV3366I The following configuration RACFVM-1 will be used on SSI
DVHRXV3366I node ITSOZVM1.
SUBCONFIG RACFVM-1
LINK MAINT 0190 0190 RR * CMS SYSTEM DISK
LINK MAINT 019D 019D RR * HELP DISK
LINK MAINT 019E 019E RR * PRODUCT CODE DISK
MDISK 0191 3390 8235 009 ZA1RS1 MR XXXXXXXX XXXXXXXX XXXXXXXX
MDISK F200 3390 8218 017 ZA1RS1 MW XXXXXXXX XXXXXXXX XXXXXXXX
MDISK 0490 3390 8244 070 ZA1RS1 MR XXXXXXXX XXXXXXXX XXXXXXXX
MDISK 0305 3390 8314 136 ZA1RS1 MR XXXXXXXX XXXXXXXX XXXXXXXX
MDISK F300 3390 8450 017 ZA1RS1 MW XXXXXXXX XXXXXXXX XXXXXXXX
MDISK 0301 3390 8467 007 ZA1RS1 MR XXXXXXXX XXXXXXXX XXXXXXXX
MDISK 0302 3390 8474 007 ZA1RS1 MR XXXXXXXX XXXXXXXX XXXXXXXX
*DVHOPT LNK0 LOG1 RCM1 SMS0 NPW1 LNGAMENG PWC20160516 CRC"y
DVHRXV3366I Preceding records were included from RACFVM-1 configuration
DVHRXV3366I for node ITSOZVM1.
-------------------- 53 line(s) not displayed --------------------
ACCOUNT SYSTEMS
IPL 490 PARM AUTOCR
IUCV *RPI PRIORITY MSGLIMIT 100
IUCV ANY PRIORITY MSGLIMIT 50
IUCV ALLOW MSGLIMIT 255
MACH XA
OPTION QUICKDSP MAXCONN 300
CONSOLE 0009 3215 T OPERATOR
SPOOL 000C 2540 READER *
SPOOL 000D 2540 PUNCH A
SPOOL 000E 1403 A
MDISK 0200 3390 DEVNO 3B07 MWV XXXXXXXX XXXXXXXX XXXXXXXX
MDISK 0300 3390 DEVNO 3C07 MWV XXXXXXXX XXXXXXXX XXXXXXXX
*DVHOPT LNK0 LOG1 RCM1 SMS0 NPW1 LNGAMENG PWC20160516 CRCúø
DVHREV3356I The following are your user option settings:
DVHREV3356I Links DISABLED Logging ON RcvMsg ON Smsg OFF NeedPW ON
DVHREV3356I Lang AMENG
DVHREV3357I The following links are in effect to your virtual machine:
DVHREV3357I To your 0301 as their 0301, Mode MR by user ID RACMNT-1
DVHREV3357I To your 0302 as their 0302, Mode MR by user ID RACMNT-1
--------------------  6  line(s) not displayed --------------------
DVHREV3357I To your 0305 as their 0305, Mode RR by user ID IBMUSER
DVHREV3357I To your 0305 as their 0305, Mode RR by user ID SYSADMIN
DVHREV3357I To your 0200 as their 0200, Mode MW by user ID RACMNT-1
DVHREV3357I To your 0300 as their 0300, Mode MW by user ID RACMNT-1
--------------------  6  line(s) not displayed --------------------
* * * End of File * * *
Defining the RACF database disks as shared
The RACF database DASD must be defined to CP as shared by adding RDEVICE statements to the SYSTEM CONFIG file for the SSI cluster. SYSTEM CONFIG is on PMAINT CF0. For this example, we add the following statements to SYSTEM CONFIG:
RDevice 3B07 Type DASD Shared YES
RDevice 3C07 Type DASD Shared YES
 
Note: Run the CPSYNTAX utility over your SYSTEM CONFIG file after making any changes. In an SSI configuration, you must use the LPAR option to test the SSI multi-configuration nature of SYSTEM CONFIG. Run this once for each logical partition (LPAR) in your SSI configuration, even if you believe that you made a change that needs to be tested once.
Defining the initial RACF database
After defining the new full pack minidisks for the RACF database, you must initialize the disks. An easy way to do this is to copy the existing supplied database minidisks by using DDR. In this example, we did this by using the process that is shown in Example 4-5.
Example 4-5 Use DDR to initialize the RACF database disks
link racfvm f200 1200 rr
Ready; T=0.01/0.01 11:50:09
link racfvm 200 2200 w
Ready; T=0.01/0.01 11:52:59
ddr
z/VM DASD DUMP/RESTORE PROGRAM
ENTER:
sysprint cons
ENTER:
input 1200 dasd
ENTER:
output 2200 dasd scratch
ENTER:
copy all
HCPDDR711D VOLID READ IS RACF
DO YOU WISH TO CONTINUE? RESPOND YES, NO OR REREAD:
yes
COPYING RACF
COPYING DATA 06/14/16 AT 15.54.06 GMT FROM RACF TO SCRATCH
INPUT CYLINDER EXTENTS OUTPUT CYLINDER EXTENTS
START STOP START STOP
0 16 0 16
END OF COPY
ENTER:
 
END OF JOB
Ready; T=0.01/0.01 11:54:12
det 1200 2200
1200 2200 DETACHED
Ready; T=0.01/0.01 11:55:36
link racfvm f300 1300 rr
Ready; T=0.01/0.01 11:55:52
link racfvm 300 2300 w
Ready; T=0.01/0.01 11:56:03
ddr
z/VM DASD DUMP/RESTORE PROGRAM
ENTER:
sysprint cons
ENTER:
input 1300 dasd
ENTER:
output 2300 dasd scratch
ENTER:
copy all
HCPDDR711D VOLID READ IS RACFBK
DO YOU WISH TO CONTINUE? RESPOND YES, NO OR REREAD:
yes
COPYING RACFBK
COPYING DATA 06/14/16 AT 15.56.53 GMT FROM RACFBK TO SCRATCH
INPUT CYLINDER EXTENTS OUTPUT CYLINDER EXTENTS
START STOP START STOP
0 16 0 16
END OF COPY
ENTER:
END OF JOB
Ready; T=0.01/0.01 11:56:56
det 1300 2300
1300 2300 DETACHED
Ready; T=0.01/0.01 11:57:01
The volume label that is read from the source disk in each DDR step helps you ensure that the correct disk is copied. “RACF” and “RACFBK” are the labels that are expected on the primary and backup disks.
 
Note: For more information about how to move from minidisk to full-pack if an increase in the database allocation is needed, see RACF Security Server System Programmer’s Guide, SC24-6312.
Defining RACF user IDs
The following VMs are defined in a default CP directory:
7VMRAC10 Product owning VM (This is a release-specific user ID and changes with every new release of z/VM.)
RACFVM Production VM
RACFSMF SMF VM
RACMAINT Backup VM
IBMUSER Initial RACF administrator
AUTOLOG1 System startup machine
AUTOLOG2 System startup machine
SYSADMIN Authorized RACF administrator
Users with NOLOG password
In a normal z/VM installation, several user IDs are defined with the password NOLOG. RACF Security Server Security Administrator Guide, SC24-6311 describes the following methods that can be used to handle such users:
Leave the password as NOLOG.
RPIDIRCT defines these users as protected and revoked by setting the NOPASSWORD, NOPHRASE, and REVOKED attributes. However, because NOLOG is a special reserved password to CP that prevents access, a logon request from such a user cannot be passed to RACF. Therefore, if such a user must access the system in the future, the CP directory and RACF must be updated to activate the user.
Change the password to UNLOG.
Similar to the NOLOG password, RPIDIRCT defines these users as protected and revoked by setting the NOPASSWORD, NOPHRASE, and REVOKED attributes. Because UNLOG is not a CP reserved password, CP passes a logon request for such a user to RACF. Therefore, the user can be granted system access in the future only by performing a RACF update.
What you decide to do here depends on the local security policy and procedure, and whether you intend to use the DirMaint-RACF connector. The password management code in the connector handles what to do with privileged passwords, such as NOLOG; therefore, changing the directory before setting up RACF yields little advantage.
 
Note: The use of the RPIDIRCT command creates a user with a NOLOG or UNLOG password with the NOPASS, NOPHRASE, and REVOKED set. However, the DirMaint-RACF connector sets only REVOKED for a NOLOG user. If your installation performs all password management by using DirMaint, this issue is not important because the connector resets the password field in RACF if the user is migrated out of NOLOG status.
If you decide to change the NOLOG passwords to UNLOG, proceed with “Changing NOLOG to UNLOG”. If you decide not to, continue with “Evaluating the minidisk access” on page 68.
Changing NOLOG to UNLOG
To perform this change, you must determine what file is used for the source directory while implementing RACF. If you implemented DirMaint, you must obtain a copy of the USER WITHPASS file from the DIRMAINT VM, as shown in Example 4-6.
Example 4-6 DIRM USER WITHPASS
dirm user withpass
DVHXMT1191I Your USER request has been sent for processing.
Ready; T=0.03/0.03 11:38:50
DVHREQ2288I Your USER request for MAINT at * has been accepted.
RDR FILE 0012 SENT FROM DIRMAINT PUN WAS 0020 RECS 2261 CPY 001 A NOHOLD
DVHREQ2289I Your USER request for MAINT at * has completed; with RC = 0.
 
receive 12 user withpass a2 (replace
File USER WITHPASS A2 replaced USER WITHPASS A0 with USER WITHPASS A0 rec
from DIRMAINT at VMLINUX5
Ready; T=0.01/0.01 11:39:15
If you did not implement DirMaint, you can use a copy of the USER DIRECT file on MAINT’s 2CC disk. When you receive this file, save it as an A2 file to allow the RACF user ID to access the file in later steps. This file is required when the RPIDIRCT EXEC runs later.
The easy way is to perform a global XEDIT change command and change NOLOG to UNLOG within the file, as shown in Figure 4-2.
Figure 4-2 USER WITHPASS
Evaluating the minidisk access
A z/VM system includes several user minidisks with a read password of ALL, which means that the disk is accessible to all users on the system without prompting for a password. This is usually for disks that contain programs that can be used by all users on the system. MAINT 190 and TCPMAINT 592 are examples (CMS and TCP/IP clients).
The RPIDIRCT EXEC command, which is used in the RACF installation process to create RACF authorization commands from CP directory entries, uses the UACC (universal access) attribute of the created resource to make an equivalent, as shown in the following example:
RDEFINE VMMDISK MAINT.190 OWNER(MAINT) UACC(READ)
Auditors often flag any profile with UACC(READ) as a potential area for information leakage, and recommend UACC(NONE) be used instead. It is a preferred practice to use a PERMIT ACL specifying ID(*) in place of UACC(READ). Review the passwords on your system before running RPIDIRCT.
Running RPIDIRCT
RPIDIRCT EXEC is used to generate the RPIDIRCT SYSUT1 file that contains all the RACF commands to add the users to define the RACF classes, such as VMMDISK and VMRDR, and to permit the owners to the resources. This exec is run from the product owning VM for RACF.
Before you run the exec, you must obtain a copy of the current user directory. If you do not use a directory manager (such as DirMaint), the directory is contained in the file USER DIRECT on PMAINT 2CC.
If you use DirMaint, you must run the command DIRM USER WITHPASS from a DirMaint administration user ID, and make the resulting USER WITHPASS file available to the 7VMRAC10 user. How we performed this on our system is shown in Example 4-7.
Example 4-7 Run DIRM USER WITHPASS
dirm user withpass
DVHXMT1191I Your USER request has been sent for processing to DIRMAINT
DVHXMT1191I at ITSOZVM1.
Ready; T=0.01/0.01 15:39:48
DVHREQ2288I Your USER request for VIC at * has been accepted.
RDR FILE 0065 SENT FROM DIRMAINT PUN WAS 4381 RECS 5673 CPY 001 A NOHOLD NOKEEP
DVHREQ2289I Your USER request for VIC at * has completed; with RC = 0.
receive 65
File USER WITHPASS A0 created from USER WITHPASS A0 received from DIRMAINT at IT
SOZVM1
Ready; T=0.01/0.01 15:39:54
sendf user withpass a to 7vmrac10
File USER WITHPASS A0 sent to 7VMRAC10 at ITSOZVM1 on 06/12/19 15:40:01
Ready; T=0.01/0.01 15:40:02
On 7VMRAC10, we used the RECEIVE command to accept the file that is sent from our administrator user. You also must access the 7VMRAC10 651 disk, which is where the RPIDIRCT EXEC is stored.
Because RPIDIRCT EXEC generates much output, run the cp term more 0 0 command before running the exec. This process makes the exec run without you needing to clear the pane repeatedly. However, if you run this command, spool your terminal in case an error occurs and you must discover what happened. Preparation for running RPIDIRCT is shown in Figure 4-3.
Figure 4-3 Set up to run RPIDIRCT EXEC
When you run the RPIDIRCT EXEC command, you must provide the file name and file type of the source directory file. It searches for the file on all accessed disks.
The default output file mode is A. When the exec starts, it prompts you to change the default group ID. Because we used the default, we replied N to the prompt question.
Figure 4-4 shows an example of the rpidirct user withpass command.
USER WITHPASS Filemode defaulted to "*".
Output defaulted to "A" disk.
Default group ID = SYS1.
Would you like to change this default?
Enter Y/N
N
Default group ID = SYS1.
 
PROFILE IBMDFLT
 
PROFILE TCPCMSU
 
PROFILE TCPGCSU
--------------------  4277 line(s) not displayed ------------
********** 5531 Directory records processed ****************
*************** RPIDIRCT SYSUT1 CREATED ********************
Figure 4-4 Run RPIDIRCT EXEC
Secure Configuration Guide for z/VM, SC24-6323 suggests that, after running RPIDIRCT, you modify the resulting RPIDIRCT SYSUT1 file in the following ways:
Alter the VMRDR profile for MAINT710 to specify UACC(UPDATE).
Add any PERMITs that are required.
Updating the MAINT710 profile in VMRDR is required for the correct operation of the SERVICE EXEC, as described in Program Directory for RACF Security Server for z/VM, GI13-4358.
Make the same changes to the following VMs:
TCPMAINT The TCP/IP daemon VMs spool their console to TCPMAINT.
DIRMAINT Makes the DIRM SEND command work.
DATAMOVE Allows DIRMAINT to send files to DATAMOVE (2 3 4 too).
DIRMSATn Allows the correct DirMaint operation across the SSI cluster.
Other permits are required.
In our installation, several guests used the COMMAND directory control statement to include a SET VSWITCH GRANT command that authorized access to a VSWITCH. These control statements can be seen in the USER WITHPASS file, as shown in the following example:
COMMAND SET VSWITCH VSW1 GRANT &USERID
To make sure that these statements are considered, complete the following steps:
1. Find all SET VSWITCH GRANT commands in the CP directory.
2. Scan the RPIDIRCT SYSUT1 file to see whether RDEFINE commands for the VSWITCH or Guest LAN that is named on the SET VSWITCH GRANT commands are present (if a NICDEF directory control statement mentions the same VSWITCH, RPIDIRCT created the RDEFINE command).
If none exists, add the appropriate RDEFINE commands to RPIDIRCT SYSUT1, as shown in the following example:
RDEFINE VMLAN SYSTEM.VSW1 UACC(NONE)
3. For each SET VSWITCH GRANT command:
a. If it appears in a directory PROFILE entry, make a list of all users that INCLUDE that profile entry.
b. Add the appropriate PERMIT command (or commands) to RPIDIRCT SYSUT1. If the command is on a single directory entry, a single PERMIT command is needed. If the command is part of a directory profile, add a PERMIT command for each user that has an INCLUDE statement for that profile.
PERMIT SYSTEM.VSW1 CLASS(VMLAN) ID(LNXS0006) ACC(UPDATE)
In addition, if the SET VSWITCH GRANT command includes the VLAN parameter, complete the following steps:
i. Scan the RPIDIRCT SYSUT1 file to see whether an RDEFINE command exists for the VLAN ID on the VSWITCH or Guest LAN. If none exists, add the appropriate RDEFINE commands to RPIDIRCT SYSUT1 (a separate RDEFINE is needed for each VLAN that is on the SET VSWITCH GRANT command), as shown in the following example:
RDEFINE VMLAN SYSTEM.VSW1.0201 UACC(NONE)
ii. Add the appropriate PERMIT command (or commands) to RPIDIRCT SYSUT1, as shown in the following example:
PERMIT SYSTEM.VSW1.0201 CLASS(VMLAN) ID(LNXS0006) ACC(UPDATE)
A similar process is used for virtual network access that is granted by using MODIFY statements in SYSTEM CONFIG or SET VSWITCH GRANT commands in AUTOLOG1 PROFILE EXEC or other scripts.
For each statement or command, complete the following steps:
1. Scan RPIDIRCT SYSUT1 to see whether an RDEFINE for the VSWITCH or Guest LAN exists. If none is present, add the appropriate RDEFINE command to RPIDIRCT SYSUT1, as shown in the following example:
RDEFINE VMLAN SYSTEM.VSW1 UACC(NONE)
2. Add the appropriate PERMIT command to RPIDIRCT SYSUT1, as shown in the following example:
PERMIT SYSTEM.VSW1 CLASS(VMLAN) ID(LNXS0006) ACC(UPDATE)
In addition, if the SET VSWITCH GRANT command includes the VLAN parameter, complete the following steps:
a. Scan the RPIDIRCT SYSUT1 file to see whether an RDEFINE command exists for the VLAN ID on the VSWITCH or Guest LAN. If none is present, add the appropriate RDEFINE commands to RPIDIRCT SYSUT1 (a separate RDEFINE is needed for each VLAN given on the SET VSWITCH GRANT command), as shown in the following example:
RDEFINE VMLAN SYSTEM.VSW1.0201 UACC(NONE)
b. Add the appropriate PERMIT command (or commands) to RPIDIRCT SYSUT1, as shown in the following example:
PERMIT SYSTEM.VSW1.0201 CLASS(VMLAN) ID(LNXS0006) ACC(UPDATE)
 
Note: If many guest virtual network connections or a complex virtual network configuration exist, you might decide to leave activating the VMLAN class until after the rest of RACF configuration is stabilized.
You can defer the activation of VMLAN until a later time by commenting out the SETROPTS CLASSACT(VMLAN) command from the RPIDIRCT SYSUT1 file. Resource profiles and permit statements that are contained in RPIDIRCT SYSUT1 are defined to the RACF database, but the class is not activated; therefore, your virtual network permission structure is retained.
Take the time to implement VMLAN when the RACF is installed. It might not be feasible to return at a later and implement the required changes.
Customizing the processing of SMF records
One of the reasons that you run RACF on your z/VM system is to audit who is doing what on the system. This auditing requires the configuration of SMF to record reliably the audit information that is captured by RACF. To use the RACFSMF VM, you must set up the PROFILE EXEC and the SMF CONTROL files by completing the following tasks:
Create the RACFSMF PROFILE EXEC.
Modify the SMF CONTROL file.
These tasks are described next.
Creating the RACFSMF PROFILE EXEC
You create the PROFILE EXEC by copying the SMFPROF EXEC from the RACFVM 305 minidisk, as shown in Example 4-8.
Example 4-8 Create the PROFILE EXEC for RACFSMF
link racfvm 305 305 rr
DASD 0305 LINKED R/O; R/W BY RACFVM at ITSOZVM4
Ready;
acc 305 e
DMSACP723I E (305) R/O
Ready;
link racfsmf 191 291 mr
Ready;
acc 291 m
Ready;
copy smfprof exec e profile exec m
Ready;
After you copy the file, modify the SMFFREQ and SMFSWTCH parameters to match what is shown in Example 4-9.
Example 4-9 RACFSMF’s PROFILE EXEC
PROFILE EXEC M1 V 130 Trunc=130 Size=428 Line=124 Col=1
===>
124 Smfpct = 80
125 Smfinfo = 'OPERATOR' /* Default message
126 Smffreq = ' AUTO ' /* Valid values: DAILY, WEEKLY,
127 /* AUTO
128 Smfday = 'MONDAY' /* Valid values: SATURDAY - FRI
129 Smfswtch = ' NO ' /* Valid values: YES NO
130 /* 1 line deleted
131 hi = '1de8'x
132 lo = '1d60'x
Modifying the SMF CONTROL file
The Program Directory instructs you to detach the RACFSMF 191 disk when you complete the work on the PROFILE EXEC. However, the next step instructs you to link and access this disk again because you must copy the SMF CONTROL file to several disks.
The SMF CONTROL file is on the RACFVM 191 disk. The directions instruct you to copy it to the RACFSMF 191 disk, modify it, and then copy it back to the original disk. It is easier to modify the one on the RACFVM disk and then copy it to the two other disks.
Link and access the appropriate disk. Because you still have the RACFSMF 191 disk, you can complete the steps that are shown in Example 4-10.
Example 4-10 Access the appropriate disk
link racfvm 191 391 mw
DASD 0391 LINKED R/W; R/W BY RACFVM at ITSOZVM4
Ready;
link racmaint 191 491 mr
Ready;
acc 391 n
Ready;
acc 491 o
Ready;
Edit the SMF CONTROL file on the N disk (which is the RACFVM 191 disk). Make the change that is shown in Example 4-11. The SEVER keyword determines RACF behavior if the SMF disks are filled. If SEVER is set to NO, auditing continues with newer SMF data overwriting older audit records. If SEVER is set to YES, RACF ceases operations because it cannot audit security relevant events on the hypervisor. The SEVER keyword is initially set to NO. If you choose to set SEVER to YES, RACF severs the path between CP and RACF when the SMF disks are full, and RACF cannot continue recording SMF records.
The file contains only one line, so it is split into two lines for readability.
Example 4-11 SMF CONTROL
SMF CONTROL N1 F 100 Trunc=100 Size=2
====>
* * * Top of File * * *
CURRENT 301 K PRIMARY 301 K SECONDARY 302 K
10000 VMSP CLOSE 001 SEVER YES 0 RACFSMF
* * * End of File * * *
After modifying this file, you must copy it to the M and O disks. Then, the flist smf control * command should return results similar to the results that are shown in Example 4-12.
Example 4-12 File list of SMF CONTROL
LVL 0 --------------- SMF CONTROL *------- FILE 1 OF 4
SMF CONTROL E1 F 100 1 1 11/29/05 12:57
SMF CONTROL M1 F 100 1 1 6/22/16 14:52
SMF CONTROL N1 F 100 1 1 6/22/16 14:40
SMF CONTROL O1 F 100 1 1 6/22/16 14:51
The SMF CONTROL file on the E disk is your original file on the RACFVM 305 disk, and it should not be changed. Now, you can detach the 291, 391, and 491 disks.
Password encryption algorithm
In z/VM 6.3, RACF for z/VM introduced a new password encryption method that is known as KDFAES. This method uses strong encryption and is supported by the hardware CPACF feature to protect the RACF database from an offline attack. As a preferred practice, use KDFAES. To activate KDFAES, run the following command:
SETROPTS PASSWORD(ALGORITHM(KDFAES))
 
Note: For more information about enabling and working with KDFAES, including considerations for enabling this mode, see “RACF KDFAES algorithm” on page 122.
If KDFAES is not used, the RACF exit ICHDEX01 controls whether masking or DES encryption is used for password encryption. If the IBM supplied ICHDEX01 exit is present and active, RACF password masking is used. If the ICHDEX01 exit is deactivated or not present, RACF DES encryption is used.
RACF DES encryption is recommended over the masking technique. Before RACF function level 540 (z/VM 5.4), the ICHDEX01 exit was deleted to allow RACF DES encryption to occur. From RACF FL540 onward, the ICHDEX01 exist is disabled by default.
Removing ICHRCX02
As a preferred practice, remove the ICHRCX02 exit that is enabled by default. ICHRCX02 removal disables batch-mode alternative user ID user support.
To perform this step, you do not need the HLASM. To delete the ICHRCX02 exit, follow the instructions in Appendix B.3, “Local Modification to Full Part Replacement Text Files”, in the Program Directory for RACF Security Server for z/VM, GI13-4358 by using the following substitution values:
For fn, use ICHRCX02
For blist, use RPIBLLPA
Use the VMSES/E process to create a local modification to this load library. A local copy of the RPIBLLPA EXEC is created and the local modification is logged in the local version vector table for the product. The local version vector table is a log file of the parts for which you performed local service. It is important to complete these steps so that future IBM service to this part does not overlay your local modifications.
The first step in deleting this member of the RACFLPA LOADLIB is to establish the 7VMRAC10 minidisk order. In this example, we used the VMSES/E exec VMFSETUP to perform this step (see Example 4-13).
Example 4-13 VMFSETUP for RACF
vmfsetup 7VMRAC10 racf
VMFSET2760I VMFSETUP processing started for 7VMRAC10 RACF
VMFUTL2205I Minidisk|Directory Assignments:
String Mode Stat Vdev Label (OwnerID Odev : Cyl/%Used)
-or- SFS Directory Name
VMFUTL2205I LOCALSAM E R/W 2C2 RAC2C2 (7VMRAC10 02C2 : 9/00)
VMFUTL2205I APPLY F R/W 2A6 RAC2A6 (7VMRAC10 02A6 : 9/01)
VMFUTL2205I G R/W 2A2 RAC2A2 (7VMRAC10 02A2 : 9/01)
VMFUTL2205I DELTA H R/W 2D2 RAC2D2 (7VMRAC10 02D2 : 70/01)
VMFUTL2205I BUILD0 I R/W 29E RAC29E (7VMRAC10 029E : 10/50)
VMFUTL2205I BUILD6 J R/W 599 RAC599 (7VMRAC10 0599 : 31/45)
VMFUTL2205I BUILD4 K R/W 505 RAC505 (7VMRAC10 0505 : 41/71)
VMFUTL2205I BUILD2 L R/W 590 RAC590 (7VMRAC10 0590 : 63/33)
VMFUTL2205I BUILD8 M R/W 651 RAC651 (7VMRAC10 0651 : 1/23)
VMFUTL2205I BASE N R/W 2B2 RAC2B2 (7VMRAC10 02B2 : 85/84)
VMFUTL2205I -------- A R/W 191 MNT191 (MAINT710 0191 : 175/01)
VMFUTL2205I -------- B R/W 5E6 MNT5E6 (MAINT710 05E6 : 9/79)
VMFUTL2205I -------- C R/W 2CC MNT2CC (PMAINT 02CC : 10/16)
VMFUTL2205I -------- D R/W 51D MNT51D (MAINT710 051D : 26/22)
VMFUTL2205I -------- S R/O 190 MNT190 (MAINT 0190 : 207/47)
VMFUTL2205I -------- Y/S R/O 19E MNT19E (MAINT 019E : 500/39)
VMFSET2760I VMFSETUP processing completed successfully
Ready; T=0.03/0.04 11:52:06
The next step is to determine the highest level of service to the build list for the RACFLPA load library by using the VMFSIM EXEC with the GETLVL parameter. The exec searches all of the version vector tables for this product and determines the highest level of service. It returns the file name and file type of that part. If you do not run the VMFSETUP exec before you run the VMFSIM exec, you do not receive the correct results.
Example 4-14 shows the vmfsim getlvl command. It gives you the file name and file type of the file that you need to copy to create your file.
Example 4-14 The vmfsim getlvl command
vmfsim getlvl 7VMRAC10 RACF tdata :part rpibllpa exc (history
:PART RPIBLLPA EXC00000 BASE-FILETYPE
Ready; T=0.01/0.01 11:54:54
The output from the vmfsim getlvl command lists this element as BASE-FILETYPE. In VMSES/E terminology, it means that no service was made to this part by IBM or locally by a system programmer (no entries in the IBM and Local Version Vector Tables). In our case, we use the RPIBLLPA EXEC. You must determine on which disk the base file is stored. Copy the highest level of the build list to the 2C2 local disk (E-disk).
Use the following syntax:
copyfile blist ft * = exclnnnn 2c2_fm
Where blist is the file name to be copied, ft is the file type, nnnn is a local tracking number that you supply, and 2c2_fm is the file mode of the 2C2 minidisk. Because this modification is the first modification to this file, we use 0001 as the nnnn value and file mode e to reflect the 2C2 minidisk, as shown in the following example:
copyfile rpibllpa exec u = excl0001 e
Modify the RPIBLLPA EXCL0001 on the E disk and comment out the entry for the ICHRCX02 member, as shown in Example 4-15.
Example 4-15 RPIBLLPA EXCL0001
RPIBLLPA EXCL0001 E1 F 80 Trunc=80 Size=749 Line=456 C
===>
456 *
457 *:OBJNAME. ICHRCX02 LEPARMS RENT REUS LET NCAL XREF
458 *:BLDREQ. RPIBLOBJ.ICHRCX02
459 *:OPTIONS. CONCAT SYSLIB RACFOBJ
460 *:OPTIONS. INCLUDE RACFOBJ(ICHRCX02)
461 *:OPTIONS. ENTRY ICHRCX02
462 *:EOBJNAME.
463 *
Log this local modification to the RPIBLLPA EXEC into the local version vector table. In earlier releases of z/VM, the VMFSIM MODIFY command was used. Starting with z/VM 5.2.0, you can use the VMFSIM LOGMOD command with more user-friendly syntax, as shown in the following example:
vmfsim logmod 7VMRAC10 vvtlcl e tdata :mod lcl0001 :part rpibllpa exc
The 2C2 disk should now contain 7VMRAC10 VVTLCL and RPIBLLPA EXCL0001 files. Example 4-16 shows the content of the 7VMRAC10 file.
Example 4-16 File list of the 2C2 disk
7VMRAC10 FILELIST A0 V 169 Trunc=169 Size=2 Line=1 Col=1 Alt=0
Cmd Filename Filetype Fm Format Lrecl Records Blocks Date
      7VMRAC10 VVTLCL E1 V 32 1 1  6/14/16
RPIBLLPA EXCL0001 E1 F 80 749 15  6/14/16
 
7VMRAC10 VVTLCL E1 V 80 Trunc=80 Size=1
====>
0 * * * Top of File * * *
1 :PART.RPIBLLPA EXC :MOD.LCL0001
2 * * * End of File * * *
Next, generate a new RACFLPA LOADLIB by using the VMFBLD command. When you run the command, make sure that you specify the blist parameter (in this case, rpibllpa), as shown in the following example:
vmfbld ppf 7VMRAC10 RACF rpibllpa (all)
If you do not specify this parameter, all build lists that are listed in the BLD section of the 7VMRAC10 PPF file are built (see Example 4-17).
Example 4-17 VMFBLD process for loadlib
VMFBLD2195I VMFBLD PPF 7VMRAC10 RACF RPIBLLPA ( LOG CNTRL RPIVM NOCKVV
NOSETUP ALL
VMFBLD2760I VMFBLD processing started
VMFUTL2205I Minidisk|Directory Assignments:
String Mode Stat Vdev Label/Directory
VMFUTL2205I LOCALSAM E R/W 2C2 RAC2C2
----------------- 13 line(s) not displayed --------------------
VMFBLD1851I Reading build lists
VMFBLD2182I Identifying new build requirements
VMFBLD2182I New build requirements identified
VMFBLD1851I (1 of 1) VMFBDLLB processing RPIBLLPA EXCL0001 E, target
is BUILD4 505 (K)
VMFLLB2217I RACFLPA LOADLIB will be rebuilt because all members must
be rebuilt
----------------- 66 line(s) not displayed --------------------
VMFBLD1851I (1 of 1) VMFBDLLB completed with return code 0
VMFBLD2180I There are 0 build requirements remaining
VMFBLD2760I VMFBLD processing completed successfully
To place the new local modification into production, you must link to the RACFVM 305 disk and then use the VMFCOPY command to copy the files to the production disk (see Example 4-18). The VMFCOPY updates the VMSES PARTCAT file on the 305 disk.
Example 4-18 Place changes into production
link RACFVM 305 305 MR
acc 505 e
acc 305 f
vmfcopy RACFLPA * e = = f (prodid 7VMRAC10%RACF replace oldd
4.2.2 Building the RACF enabled CPLOAD MODULE
Make sure that you logged off from the RACF product owner VM and logged on to the MAINT710 VM. When the PROFILE EXEC completes running, you have all the required disks that are accessed.
The RACF product is included with the system in a disabled state. You can use the VMSES/E command SERVICE to enable the product. You also can generate a CPLOAD MODULE that enables RACF to CP. This new CP nucleus requires that RACF is active on the system to manage authentication. The
initial settings for RACF are that if a resource is not defined to RACF, the decision on the access request is deferred to CP. Later in this setup process, you change this setting to secure the system so that all resources must be defined to RACF or the request for access fails.
Run the service racf enable command. Example 4-19 shows the output.
 
Note: The new CP nucleus, with the RACF CP parts, is placed on the secondary parm disk (MAINT710 CF2). For your information, a copy of the previous (or currently running) CPLOAD MODULE is still on the primary (CF1) and tertiary (CF3) parm disks as CPLOAD MODULE. It is also saved on the secondary parm disk as CPLOLD MODULE.
Example 4-19 CP SET PRODUCT
VMFSRV2195I SERVICE RACF ENABLE
VMFSRV2760I SERVICE processing started
VMFSRV2767I Reading VMFINS DEFAULTS B for additional options
VMFSRV2760I VMFINS processing started
VMFSRV2602R The following components can be enabled for PROD 7VMRAC10
RACF. Enter the number of your choice
(0) Bypass this product
(1) :PPF 7VMRAC10 RACF :PRODID 7VMRAC10%RACF
:DESC RACF Feature of z/VM, FL710
(2) :PPF SERVP2P RACF :PRODID 7VMRAC10%RACF
:DESC RACF Feature of z/VM, FL710
(3) Exit
VMFINS2603I Processing product :PPF 7VMRAC10 RACF :PRODID
7VMRAC10%RACF
VMFINS2603I Enabling product 7VMRAC10
VMFINS2771I The CP SET PRODUCT command completed sucessfully for product 7VMRAC10
VMFINS2772I File 7VMRAC10 PRODSYS created on your A-disk contains the
system configuration PRODUCT statement for product 7VMRAC10
VMFINS2603I PRODUCT ENABLED IN VMSE/E, CP PROCESSING REQUIRED
VMFINS2760I VMFINS PROCESSING COMPLETED SUCESSFULLY
HCPZAC6730I CPRELEASE REQUEST FOR DISK A COMPLETED.
When the product is enabled dynamically, the configuring of RACF by the service exec sets a flag in a VMSES/E software inventory table. This flag causes the CP nucleus to be built by using the RACF versions of the HCPRWA, HCPRPD, HCPRPW, HCPRPI, HCPRPG, and HCPRPF files. The SERVICE EXEC then generates a new CPLOAD MODULE and places it on the CF2 disk only (it is moved to the other parm disks in a later step).
When the SERVICE EXEC completes, issue the VMFVIEW command to verify that no problems exist.
Run an IPL of your system with RACF in test mode
To prepare for the next step, you also must find the device address of the volume on which the alternative parm disk is (MAINT710 CF2; on our system, it was on the 710RL1 volume). Shut down your system and then, by using the LOADPARM option, run an IPL of your system again. The z/VM stand-alone program loader starts.
 
Note: When z/VM SSI was introduced, the locations and roles of the parm disks changed. Previously, all of the parm disks were owned by MAINT and contained the CP nucleus, system configuration file, and logo configuration. With SSI, a new parm disk that is owned by the PMAINT user holds the system and logo configuration files, a second parm disk that is owned by the MAINT710 user is used during the service process, and a separate pair of disks that is owned by MAINT on each member of the SSI cluster holds the CP nucleus for that member.
You must start z/VM by using the new RACF-enabled CP nucleus that was generated by the SERVICE process. From the SAPL pane, enter the device address of the alternative parm disk volume, as shown in Example 4-20.
Example 4-20 IPL from CPLOAD on alternative parm disk
STAND ALONE PROGRAM LOADER: z/VM VERSION 7 RELEASE 1.0
DEVICE NUMBER: 03234 MINIDISK OFFSET: 209 EXTENT: 1
MODULE NAME: ZVM710R LOAD ORIGIN: 1000
--------------------------------IPL PARAMETERS--------------------------------
fn=SYSTEM ft=CONFIG pdnum=1 pdvol=3031
-----------------------------------COMMENTS-----------------------------------
------------------------------------------------------------------------------
9= FILELIST 10= LOAD 11= TOGGLE EXTENT/OFFSET
 
Note: If Auto_Warm_IPL is coded in your SYSTEM CONFIG file, you must also add the IPL parameter PROMPT on the SALIPL pane.
You can verify that you can access the correct module by pressing PF9 to show the file list of the designated parm disk. The file list should look something the output that is shown in Example 4-21.
Example 4-21 File list of the alternative parm disk
STAND ALONE PROGRAM LOADER: z/VM VERSION 7 RELEASE 1.0 FILENAME FILETYPE FORMAT LRECL RECORDS BLOCKS DATE TIME
CPLOAD MODULE Z1 V 65535 189 2999 6/14/19 17:07:42
CPLOLD MODULE Z1 V 65535 189 2993 6/12/19 19:34:45
3=QUIT 4=SORT(TYPE) 5=SORT(DATE) 6=SORT(NAME) 7=BACK 8=FORWARD 11=SELECT
The CPLOAD MODULE includes a recent time stamp and is slightly larger than the CPLOLD MODULE (which is the previous non-RACF CP nucleus). Press PF3 to return to the SAPL pane.
When everything is ready, press PF10 to start the IPL.
During the IPL process, you must perform a NOAUTOLOG start and change the time of day if required (see Example 4-22). The NOAUTOLOG option tells the system not to start the AUTOLOG1 VM. Therefore, no other VMs are started automatically.
Example 4-22 z/VM IPL
09:07:02 z/VM V7 R1.0 SERVICE LEVEL 1801 (64-BIT)
09:07:02 SYSTEM NUCLEUS CREATED ON 2019-01-23 AT 12:25:50, LOADED FROM RD1RES
09:07:02
09:07:02 ****************************************************************
09:07:02 * LICENSED MATERIALS - PROPERTY OF IBM* *
09:07:02 * *
09:07:02 * 5741-A09 (C) COPYRIGHT IBM CORP. 1983, 2018. ALL RIGHTS *
09:07:02 * RESERVED. US GOVERNMENT USERS RESTRICTED RIGHTS - USE, *
09:07:02 * DUPLICATION OR DISCLOSURE RESTRICTED BY GSA ADP SCHEDULE *
09:07:02 * CONTRACT WITH IBM CORP. *
09:07:02 * *
09:07:02 * * TRADEMARK OF INTERNATIONAL BUSINESS MACHINES. *
09:07:02 ****************************************************************
09:07:02
09:07:02 HCPZCO6718I Using parm disk 1 on volume RD1RES (device 0123).
09:07:02 HCPZCO6718I Parm disk resides on cylinders 209 through 248.
09:07:02 Start ((Warm|Force|COLD|CLEAN) (DRain) (DIsable) (NODIRect)
09:07:02 (NOAUTOlog)) or (SHUTDOWN)
09:07:08 NOAUTOLOG
09:07:08 NOW 09:07:08 EDT TUESDAY 2019-06-18
09:07:08 Change TOD clock (YES/NO)
NO
When the IPL completes, you start RACMAINT VM with the xautolog racmaint command. The reason for starting RACMAINT instead of RACFVM is that in a later step you run the PUT2PROD exec. This exec copies files to the RACFVM VM disks. RACMAINT links to those disks to run in READ ONLY mode, which allows MAINT and the PUT2PROD exec to gain write access to the disks owned by RACFVM.
When the RACMAINT VM logs on and runs the PROFILE EXEC, it runs RACSTART EXEC. This process causes this VM to be defined as the ESM for your system. You can ignore the messages about the 591 and 505 disk not being accessed. This issue does not cause a problem. You can now disconnect from the OPERATOR VM.
4.2.3 Updating the RACF database and options
The following tasks must be completed to update the RACF database with information from the CP directory and to set up options for the RACF environment.
Updating the RACF database with an existing CP directory
Log on to the IBMUSER VM. This VM is defined to have RACF special and operations authority in the initial RACF database that was included with the system. The password for this VM is SYS1, and you must change the password the first time that you log on.
From the VM, complete the following tasks:
1. Set a PF key to retrieve commands.
2. Run RPIBLDDS to build the RACF database.
3. Define the security administrator.
Before you can build the RACF database, you must link to the following the product owners’ disks and access them (see Example 4-23):
191: Location of the RPIDIRCT SYSUT1 file
305: Location of the RPIBLDDS EXEC
29E: Location of the RAC EXEC
Example 4-23 Setting up the IBMUSER virtual machine
set pf12 retrieve
Ready; T=0.01/0.01 11:25:46
link 7vmrac10 505 305 rr
RPIMGR031E Resource 7VMRAC10.505 SPECIFIED BY LINK COMMAND NOT FOUND
DASD 305 LINKED R/O; R/W BY RACMAINT
Ready; T=0.01/0.01 11:33:40
link 7vmrac10 191 192 rr
RPIMGR031E Resource 7VMRAC10.191 SPECIFIED BY LINK COMMAND NOT FOUND
Ready; T=0.01/0.01 11:33:59
link 7vmrac10 29e 29e rr
RPIMGR031E Resource 7VMRAC10.29E SPECIFIED BY LINK COMMAND NOT FOUND
Ready; T=0.01/0.01 11:34:06
ac 305 c
ac 192 b
ac 29e d
 
Note: On our system, we found that IBMUSER included a disk that is linked at 305, which we detached so that we can perform these steps.
The RPIBLDDS EXEC is used to modify the RACF DATABASE. It uses the RPIDIRCT SYSUT1 file as input. This file was created earlier by the 7VMRAC10 VM with the RPIDIRECT EXEC. It contains all the RACF commands to add users, define resources, and authorize users to resources.
 
Example 4-24 shows RPIBLDDS being run.
Example 4-24 Run RPIBLDDS
rpibldds
Using default file RPIDIRCT SYSUT1
Processing batch file RPIDIRCT SYSUT1 using "RAC" command interface
=> RDEFINE VMCMD RACF UACC(READ)
=> RDEFINE VMCMD RAC UACC(READ)
=> ADDGROUP SYSTEM
=> ADDGROUP SYSTEM OVM(GID(0))
=> ADDGROUP STAFF
=> ADDGROUP STAFF OVM(GID(1))
=> ADDGROUP GBIN
. . .
 
=> RDEFINE VMMDISK MAINT710.5A2 OWNER(MAINT) UACC(NONE)
=> PERMIT MAINT710.5A2 CLASS(VMMDISK) RESET ID(MAINT710) AC(ALTER)
=> RDEFINE VMMDISK MAINT710.5A4 OWNER(MAINT) UACC(NONE)
=> PERMIT MAINT710.5A4 CLASS(VMMDISK) RESET ID(MAINT710) AC(ALTER)
=> RDEFINE VMMDISK MAINT710.5A6 OWNER(MAINT) UACC(NONE)
=> PERMIT MAINT710.5A6 CLASS(VMMDISK) RESET ID(MAINT710) AC(ALTER)
. . .
 
=> RDEFINE VMMDISK MAINT710.400 OWNER(LOHCOST) UACC(NONE)
=> PERMIT MAINT710.400 CLASS(VMMDISK) RESET ID(LOHCOST) AC(READ)
. . .
When the RPIBLDDS EXEC completes, your RACF database is initialized with all the VMs and resources that were included with the z/VM system. Now, you create more RACF administrators. You must determine what VMs are trusted to manage your secure environment.
The user IDs that are part of the system maintenance process (VMSES/E) must have authority to access minidisks across the system. For this reason, the RACF Program Directory recommends the following VMs be granted OPERATIONS authority:
MAINT710
BLDSEG
BLDRACF
BLDNUC
BLDCMS
MIGMAINT
The RACF altuser command is used to modify the RACF attributes for a VM (see Example 4-25).
Example 4-25 Set RACF attributes
rac alu MAINT710 operations
Ready; T=0.01/0.01 11:49:44
rac alu bldseg operations
Ready; T=0.01/0.01 11:49:53
rac alu bldracf operations
Ready; T=0.01/0.01 11:50:02
rac alu bldnuc operations
Ready; T=0.01/0.01 11:50:04
rac alu bldcms operations
Ready; T=0.01/0.01 11:50:07
rac alu migmaint operations
Ready; T=0.01/0.01 11:50:12
 
Note: A highly experienced RACF administrator with extensive knowledge of VMSES/E might set up RACF profiles and permissions that allow access to the required resources without the OPERATIONS attribute. Because the maintenance of z/VM and its features is of critical importance to the system operation, the recommended approach of using OPERATIONS is the preferred method for most installations.
OPERATOR and SPECIAL
It is sometimes suggested that the OPERATOR ID be granted the SPECIAL attribute. Whoever, this suggestion is not a preferred practice because access to OPERATOR is broad and uncontrolled in most installations. Even with the access controls that are described in 3.2.8, “Role-based access controls and CP privilege classes” on page 37, OPERATOR is visible to users without security management responsibility.
One reason for giving this access is when an operator inadvertently enters the incorrect time when z/VM is IPLed, which results in all IDs on the system becoming revoked. This issue can be mitigated by using the Auto_Warm_IPL feature statement in SYSTEM CONFIG, combined with effective management of the Hardware Management Console (HMC)/SE time-of-day clock to provide accurate time to the LPAR ToD clocks.
Alternatively, z/VM supports the Server Time Protocol (STP) hardware feature, which can provide an integrated solution for time-of-day management across all systems that are running on the IBM LinuxONE server.
 
Note: As a preferred practice before granting the OPERATOR user the SPECIAL attribute, consider all possible alternatives. Giving OPERATOR the system-SPECIAL attribute can greatly affect the overall security and integrity of your z/VM system.
Revoking IBMUSER
After the new RACF administrators are defined, log off from IBMUSER. Log on to MAINT (assuming that you gave MAINT RACF authority) and complete the product installation.
Because IBMUSER is a well-known user, it might be a target for unauthorized accesses to your system. To prevent further use of the IBMUSER VM, revoke this VM and remove the operations and special attributes (see Example 4-26). Do not delete this VM from your system because IBMUSER ran the exec to generate the RACF database and it is now listed as the owner of all the other VMs on the system.
Example 4-26 RACF alter user for IBMUSER
link 7VMRAC10 29e 29e rr
RPIMGR031E RESOURCE 7VMRAC10.29E SPECIFIED BY LINK COMMAND NOT FOUND
Ready; T=0.01/0.01 12:00:18
access 29e l
DMSACP723I L (29E) R/O
Ready; T=0.01/0.01 12:00:23
rac alu ibmuser revoke
Ready; T=0.01/0.01 12:04:01
rac alu ibmuser nospecial
Ready; T=0.01/0.01 12:04:08
rac alu ibmuser nooperation
Ready; T=0.01/0.01 12:04:14
Setting RACF options
Now, define which resources are managed by RACF. The following examples are a good starting point:
RAC SETROPTS CLASSACT(VMMDISK)
RAC SETROPTS CLASSACT(VMRDR)
RAC SETROPTS CLASSACT(VMLAN)
Other options include VMBATCH and VMSEGMT. Also, if your CP directory included LOGONBY statements, RPIDIRCT created profiles in the SURROGAT class provide the same function. You must activate the SURROGAT class for your LOGONBY function to work as it did before.
It also is a good practice make the corresponding updates to the VMXEVENT to tailor this entry to your installation. This configuration avoids RACF calls for resources that are not RACF-protected and avoids wasting CPU cycles and causing RACF contention.
If you are using DirMaint, use VMXEVENT to exempt the DirMaint service machines from access checking. Because of the number of users in this example, we create a script to issue the required commands, as recommended in Directory Maintenance Facility Tailoring and Administration Guide, SC24-6283. The script is shown at Example 4-27.
Example 4-27 VMXEVENT EXEC
/* REXX */
Parse Upper Arg ID .
If ID = '' Then Do
Say "Please enter an ID!"
Exit 1
End
Say "ID" ID "will have a VMXEVENT profile created and populated,"
Say "Enter 'y' to continue:"
Parse Upper Pull Reply
If Left(Reply,1)="Y" Then Do
Address CMS
  "RAC RDEFINE VMXEVENT USERSEL." || ID
  "RAC RALTER VMXEVENT USERSEL." || ID || " ADDMEM(LINK/NOCTL)"
  "RAC RALTER VMXEVENT USERSEL." || ID || " ADDMEM(STORE.C/NOCTL)"
  "RAC RALTER VMXEVENT USERSEL." || ID || " ADDMEM(TAG/NOCTL)"
  "RAC RALTER VMXEVENT USERSEL." || ID || " ADDMEM(TRANSFER.D/NOCTL)"
  "RAC RALTER VMXEVENT USERSEL." || ID || " ADDMEM(TRANSFER.G/NOCTL)"
  "RAC RALTER VMXEVENT USERSEL." || ID || " ADDMEM(TRSOURCE/NOCTL)"
  "RAC RALTER VMXEVENT USERSEL." || ID || " ADDMEM(DIAG0D4/NOCTL)"
  "RAC RALTER VMXEVENT USERSEL." || ID || " ADDMEM(DIAG0E4/NOCTL)"
  "RAC RALTER VMXEVENT USERSEL." || ID || " ADDMEM(RSTDSEG/NOCTL)"
  "RAC RALTER VMXEVENT USERSEL." || ID || " ADDMEM(MDISK/NOCTL)"
  "RAC RALTER VMXEVENT USERSEL." || ID || " ADDMEM(APPCPWVL/NOCTL)"
Say "Complete."
End
We ran VMXEVENT EXEC once for each DirMaint user to be exempted. After the profiles are created for all users, you can activate the VMXEVENT class by using RAC SETROPTS CLASSACT(VMXEVENT).
We also issued RAC SETEVENT REFRESH USERSEL.xxxxxxxx commands for the logged-on DirMaint service machines (replacing xxxxxxxx for each DirMaint service machine in turn) for the VMXEVENT definition to take place immediately.
Using group permissions rather than exemption
Depending on your security policy, it might not be appropriate to exempt the DirMaint users from checking. Similar to RPIDIRCT, a sufficiently experienced RACF administrator can define resource profiles with the correct access lists to avoid having to use exemption. This task is even easier by using group-based permissions. For example, a group called $DIRMSRV can be granted appropriate permissions over all the DirMaint server resources, and the DirMaint server user IDs are connected to that group.
This task requires experience in RACF and DirMaint administration, and must not be taken lightly. Follow the installation instructions for DirMaint and use the documented method to exempt the DirMaint users from checking.
 
Note: The RAC SETEVENT REFRESH command must be run on the z/VM system where the user is logged on to take effect. If the user is not logged on, or is logged on to a different member of the SSI cluster, an error message is received, as shown in the following example:
RPISET133E SETEVENT FAILED. USER IS NOT CURRENTLY LOGGED ON.
To complete the refresh, log on to each system in your cluster and issue the refresh for the users who are logged on to that system. Alternatively, restart the affected servers (which can be done remotely from a central system by running the AT command).
4.2.4 Placing RACF into production
 
Important: This step must be repeated for each member of an SSI cluster.
Run PUT2PROD EXEC from the MAINT710 VM.
 
Note: Make sure that you run the PUT2PROD EXEC without any parameters because the $SERVICE PROD file on the MAINT710 191 disk already lists the components that must be put into production:
SERVICE $PRODS A1 V 80 Trunc=80
0 * * * Top of File * * *
1 SERVP2P RACF
2 SERVP2P CP
3 * * * End of File * * *
When PUT2PROD completes, run vmfview put2prod to verify that everything was successful.
Setting up AUTOLOG1 and AUTOLOG2
When doing a normal warm start, the IPL process starts the AUTOLOG1 VM. This process is intended to start the VMs that run in your z/VM environment.
With RACF in place, it is important to ensure that no VMs are started before RACF is properly initialized. RACF provides an AUTOLOG2 user to accommodate this task.
AUTOLOG1 is changed to start only your ESM (RACFVM). After the RACF environment is initialized, RACF runs the xautolog command for the AUTOLOG2 VM, which starts the remaining servers for the system.
The PROFILE EXEC for the AUTOLOG1 VM works perfectly for the AUTOLOG2 VM. Therefore, you can copy it to the appropriate disk. Then, you must modify PROFILE EXEC for AUTOLOG1 to start only the production ESM (RACFVM), as shown in Figure 4-5.
Figure 4-5 Set up the AUTOLOG1 and AUTOLOG2 virtual machines
You should be able to perform an IPL from the CF1 disk (extent 1) and run in production mode.
4.2.5 Using HCPRWAC
Initially, the system is built with non-aggressive authorization checking with the security parameters in the SYSSEC macro. In fact, most of the entries specify the keyword defer, which means that if the ESM does not know what to do with a request, the request is routed to the system CP for determination. What this looks like in the text of the SYSSEC macro is shown in Figure 4-6.
HCPRWA RPIBASE0  E1 F 80 3 Blks 10/25/06 Line 118 of
===>
SYSSEC , X
DISKP=ALLOW,DISKU=DEFER,DISKF=FAIL,DISKW=DEFER,DISKM=ON,X
RDRP=ALLOW,RDRU=DEFER,RDRF=FAIL,RDRW=DEFER,RDRM=ON, X
NODEP=ALLOW,NODEU=DEFER,NODEF=FAIL,NODEW=DEFER,NODEM=ON,X
CMDP=ALLOW,CMDU=DEFER,CMDF=FAIL,CMDW=DEFER,CMDM=ON, X
LANP=ALLOW,LANU=DEFER,LANF=FAIL,LANW=DEFER,LANM=ON, X
DEFLTP=ALLOW,DEFLTU=DEFER,DEFLTF=FAIL,DEFLTW=DEFER @L2C
SPACE 3
Figure 4-6 HCPRWA assemble file
This model is not a secure model to run the production system. For this reason, after everything is working correctly, change the SYSSEC macro to fail instead of defer.
In the past, this effort required updating the text of the SYSSEC macro so that it looked like Figure 4-7 and reassembled HCPRWA.
HCPRWA RB0L0001 E1 F 80 Trunc=80 Size=137 Line=120 Col=1 Alt=2
====>
120         SYSSEC , X
121 DISKP=ALLOW,DISKU=FAIL,DISKF=FAIL,DISKW=FAIL,DISKM=ON, X
122 RDRP=ALLOW,RDRU=FAIL,RDRF=FAIL,RDRW=FAIL,RDRM=ON, X
123 NODEP=ALLOW,NODEU=FAIL,NODEF=FAIL,NODEW=FAIL,NODEM=ON, X
124 CMDP=ALLOW,CMDU=FAIL,CMDF=FAIL,CMDW=FAIL,CMDM=ON, X
125 LANP=ALLOW,LANU=FAIL,LANF=FAIL,LANW=FAIL,LANM=ON       X
  126                DEFLTP=ALLOW,DEFLTU=DEFER,DEFLTF=FAIL,DEFLTW=DEFER @L2C
       SPACE 3
Figure 4-7 Modified HCPRWA assembler
To allow clients that do not have HLASM to move to a more secure configuration, the RACF product includes a pre-assembled version of HCPRWA that contains these changes (among others), known as HCPRWAC. For more information about how to use HCPRWAC see Appendix D, “Using HCPRWAC”, in Secure Configuration Guide for z/VM, SC24-6323.
HCPRWAC is the IBM-provided modification of HCPRWA that complies with the requirements of LSPP. This process uses VMFUPDAT to update VM SYSSUF.
Complete the following steps:
1. Run the vmfupdat syssuf command. Scroll through the panels until you see the Compname for RACF (see Example 4-28).
Example 4-28 MFUPDAT SYSSUF
Update any PPF/component name or YES|NO field. To change all occurrences
of a PPF name in the table replace both ******** fields with PPF names.
Compname Prodid Servlev Prodlev Description
---------------- -------- -------- -------- ------------------------------
AVS 7VMAVS10 000-0000 000-0000 AVS for z/VM 7.1.0
:INSTALL YES :INSPPF SERVP2P AVS
:BUILD YES :BLDPPF SERVP2P AVS
:INCLUDE YES :P2PPPF SERVP2P AVSP2P
CMS 7VMCMS10 RSU-1901 RSU-1901 CMS for z/VM 7.1.0
:INSTALL YES :INSPPF SERVP2P CMS
:BUILD YES :BLDPPF SERVP2P CMS
:INCLUDE YES :P2PPPF SERVP2P CMSP2P
CP 7VMCPR10 RSU-1901 RSU-1901 CP for z/VM 7.1.0
:INSTALL YES :INSPPF SERVP2P CP
:BUILD YES :BLDPPF SERVP2P CP
:INCLUDE YES :P2PPPF SERVP2P CPP2P
Change PPF name ******** to ********
Page 1 of 6
2. Add the following statement in the file that is shown in Example 4-28:
:INCLUDE CCC :P2PPPF SERVP2P RACFP2P
 
Note: Since z/VM 6.3, the HLASM is no longer required to assemble HCPRWA.
3. After you modify the entry for INCLUDE from YES to CCC, select PF5 to process. A flag is raised in the VM SYSSUF file that indicates that RACF was updated and to set this product to BUILD (see Example 4-29). The CPLOAD MODULE is built with the new HCPRWA file (which is the HCPRWAC file). This process changes the parameters from defer to fail.
Example 4-29 Notification that RACF was updated
00037 :PRODID.5684042J%ICKDSF :SERVLEV.RSU-1802 :DESC.ICKDSF DEVICE SUPPORT F
00038 :INCLUDE.YES :INSTALL.YES :INSPPF.SERVP2P ICKDSF :BUILD.YES :BLDPPF.SER
00039 ICKDSFP2P :PRODLEV.RDBKZVM1.RSU-1802 RDBKZVM2.RSU-1802 RDBKZVM3.RSU-180
00040 :PRODID.7VMDIR10%DIRM :SERVLEV.000-0000 :DESC.Install/service DirMaint
00041 :INSTALL.YES :INSPPF.SERVP2P DIRM :BUILD.YES :BLDPPF.SERVP2P DIRM :P2PP
00042 :PRODLEV.RDBKZVM1.000-0000 RDBKZVM2.000-0000 RDBKZVM3.000-0000 RDBKZVM4
00043 :PRODID.7VMRAC10%RACF :SERVLEV.000-0000 :DESC.RACF Feature of z/VM, FL7
00044 :INSPPF.SERVP2P RACF :BUILD.YES :BLDPPF.SERVP2P RACF :P2PPPF.SERVP2P R
00045 :PRODLEV.RDBKZVM1.000-0000 RDBKZVM2.000-0000 RDBKZVM3.000-0000 RDBKZVM4
00046 :PRODID.7VMPTK10%PERFTK :SERVLEV.RSU-1901 :DESC.Performance Tool Kit :I
00047 :INSPPF.SERVP2P PERFTK :BUILD.YES :BLDPPF.SERVP2P PERFTK :P2PPPF.SERVP2
00048 :PRODLEV.RDBKZVM1.RSU-1901 RDBKZVM3.RSU-1901 RDBKZVM4.RSU-1901 RDBKZVM2
00049 :PRODID.7VMHCD10%VMHCD :SERVLEV.000-0000 :DESC.VMHCD for z/VM 7.1.0 :IN
00050 :INSPPF.SERVP2P VMHCD :BUILD.YES :BLDPPF.SERVP2P VMHCD :P2PPPF.SERVP2P
00051 :PRODLEV.RDBKZVM1.000-0000 RDBKZVM2.000-0000 RDBKZVM3.000-0000 RDBKZVM4
4. Force the building of the CP nucleus by running the following commands:
vmfsetup 7VMRAC10 racf (link
vmfrepl rpiblcpn exec 7VMRAC10 racf (nocopy $select
vmfsetup detach
The VMFREPL EXEC is used to support the local modification of replacement maintained parts. VMFREPL can be used to accomplish the following tasks:
 – Copy the highest level of a part.
 – Copy a specified part.
 – Update a Version Vector Table.
 – Update a Select Data file.
 – Display the highest levels of a part.
RPIBLCPN EXEC is used to build the CPLOAD MODULE by using the RACF files and the version vector tables for RACF. The $SELECT operand adds an entry to the 7VMRAC10 $SELECT file (see Example 4-30) on the RACFVMs apply disk (2A6), which defines to VMSES/E that local service to the RPIBLCPN EXEC exists.
Example 4-30 7VMRAC10 $SELECT file
7VMRAC10 $SELECT F1 V 80 Trunc=80 Size=2
===>
0 * * * Top of File * * *
1 :APPLYID.07/01/16 09:09:18
2 RPIBLCPN EXC EXC00000 BASE-FILETYPE
3 * * * End of File * * *
5. The SERVICE EXEC is used again, similar to when you enabled the RACF product. This time, use the BUILD operand to create the CPLOAD MODULE by running the following command:
service racf build
The new CP nucleus, with the RACF CP parts, is placed on the secondary parm disk (default disk address of CF2). For your information, a copy of the previous (or currently running) CPLOAD MODULE is still on the primary (CF1) and tertiary (CF3) parm disks as CPLOAD MODULE. It is also saved on the secondary parm disk as CPLOLD.
6. Shut down the running system.
7. Perform an IPL from the MAINT710 CF2 parm disk.
8. Start the system with the NOAUTOLOG parameter.
9. Run XAUTOLOG RACMAINT.
10. Run the PUT2PROD EXEC from the MAINT VM.
The RACF product for z/VM 7.1.0 is now installed and configured.
4.3 RACF management processes
This section describes how to make DirMaint and RACF work together and shows some basic setup in RACF to protect commonly used resources.
4.3.1 DirMaint changes to work with RACF
The DirMaint-RACF connector provides DirMaint exits that allow the DIRMAINT VM to run the appropriate RACF commands to perform the following tasks:
Add a user
Define MDISK
Define VMRDR
Define VMPOSIX
Define SURROGAT
Define VMBATCH
 
Note: The DirMaint-RACF connector is one of the reasons that you use DirMaint with your RACF environment. Although it is fairly easy to write your own execs to provide a similar function, the connector is a maintained component of DirMaint.
The code to use this process is included with the base system as part of DirMaint. To implement this process, you update your DirMaint configuration (CONFIGxx DATADVH) with the statements that are defined in the CONFIGRC SAMPDVH file (see Figure 4-8 on page 89).
A copy of the CONFIGRC SAMPDVH file does not exist on the DIRMAINT minidisks. Instead, it is on the 2C2 disk that is owned by the 7VMDIR10 VM. In this example, we run VMLINK to access this disk and then copy the CONFIGRC SAMPDVH file to our A disk.
 
Note: The following VMLINK command is used:
VMLINK 7VMDIR10 2C2 (FILEL CONFIGRC *
This command made it easy to run COPYFile to copy the file and give it the name CONFIGRC DATADVH A.
Complete the following steps:
1. Copy the CONFIGRC SAMPDVH file to your A disk as CONFIGRC DATADVH.
An excerpt from the CONFIGRC DATADVH file is shown in Figure 4-8.
Figure 4-8 Part of CONFIGRC DATADVH
The activation of the function for all supported operations is done by using the following line:
USE_RACF= YES ALL
2. The operation of the function can be altered by changing the parameters in the file. If no changes are necessary, it can be used as is. Run the DirMaint file command to store a copy of the CONFIGRC DATADVH file.
 
Important: This file does not exist on the DIRMAINT user; therefore, specify the file mode on the DirMaint file command. Other DirMaint CONFIGxx DATADVH files are on DIRMAINT’s D disk, so they can be stored using the following command:
DIRM FILE CONFIGRC DATADVH A = = D
3. Complete the activation of the connector by running the DirMaint commands to refresh data and configuration files (DIRM RLDD and DIRM RLDC). You also must give the DIRMAINT and DATAMOVE VMs the RACF special attribute (see Example 4-31).
Example 4-31 RACF authorization for DIRMANT and DATAMOVE
rac alu dirmaint special
Ready; T=0.01/0.01 11:47:25
 
rac alu datamove special
Ready; T=0.01/0.01 11:47:33
After completing this process, when you add a user or minidisk with DirMaint, it is added automatically to the RACF database. For more information, see “Adding virtual machines with DirMaint” on page 90.
4.3.2 RACF authorization concepts
Resources are defined to RACF/VM as profiles in the RACF database. Profiles are available for all of the resources that are defined to a RACF enabled z/VM system (vmmdisk, vmrdr, vmlan, and so on). These profiles can be generic (MAINT.19*, where the asterisk is one or more characters) or discrete (MAINT.CF1), as shown in Example 4-32.
Example 4-32 Discrete and generic profiles
Discrete profiles
RDEFINE VMMDISK MAINT.CF1 OWNER(MAINT) UACC(NONE
PERMIT MAINT.CF1 CLASS(VMMDISK) RESET ID(MAINT) AC(ALTER)
RDEFINE VMMDISK MAINT.CF2 OWNER(MAINT) UACC(NONE
PERMIT MAINT.CF2 CLASS(VMMDISK) RESET ID(MAINT) AC(ALTER)
...
 
Generic profiles
RDEFINE VMMDISK MAINT.CF* OWNER(MAINT) UACC(NONE
PERMIT MAINT.CF* CLASS(VMMDISK) RESET ID(MAINT) AC(ALTER)
RDEFINE VMMDISK MAINT.190 OWNER(MAINT) UACC(NONE
PERMIT MAINT.190 CLASS(VMMDISK) RESET ID(MAINT) AC(ALTER)
RDEFINE VMMDISK MAINT.19E OWNER(MAINT) UACC(NONE
PERMIT MAINT.19E CLASS(VMMDISK) RESET ID(MAINT) AC(ALTER)
...
The RPIDIRCT EXEC that was used to create the commands to define the RACF database during the installation and configuration process that was used discrete profiles. Your installation must determine whether you want to continue with this practice or use generic profiles. Both methods or a combination of methods work. Make sure that you run SETROPTS GENERIC(VMMDISK) before you define the generic profiles.
4.3.3 Adding virtual machines and resources to the system and RACF database
This section describes how to add VMs and resources to the system and RACF database.
Adding virtual machines with DirMaint
This example uses DirMaint as the tool to add VMs to the system. The use of DirMaint allows you to use the DirMaint-RACF connector.
Complete the following steps:
1. When you must add a VM to the system, first make sure that the VM was not defined (see Example 4-33).
Example 4-33 Verifying a virtual machine
rac lu userbob
ICH30001I UNABLE TO LOCATE USER ENTRY USERBOB
Ready(00004); T=0.01/0.01 08:43:53
dirm for userbob get nolock
DVHXMT1191I Your GET request has been sent for processing.
Ready; T=0.03/0.03 08:44:09
DVHREQ2288I Your GET request for USERBOB at * has been accepted.
DVHBDG6209E Specified user USERBOB does not exist, request GET failed.
DVHGET3212E Unexpected RC= 6209, from: EXEC DVHBBDGT USERBOB DIRECT A0
DVHREQ2289E Your GET request for USERBOB at * has failed; with RC =
DVHREQ2289E 3212.
2. To create a VM, create a file on the A disk of a DirMaint administrator, which contains new VM definition (see Figure 4-9).
Figure 4-9 USERBOB DIRECT
3. Run the command dirm add to display a panel, as shown in Example 4-34.
Example 4-34 DIRMAINT ADD
--------------------------------DirMaint ADD---------------------------------
Add a new directory entry for a new USERID, PROFILE, SUBCONFIG, or IDENTITY.
Fill in the USERID, PROFILE, SUBCONFIG, or IDENTITY being added:
===> userbob
Optionally fill in the following when using a prototype:
LIKE ===> (file name of prototype)
PW ===> (password for new user)
VPW ===> (password again for verification)
ACCT ===> (account value for new user - optional)
BUILD ON ===> (SSI node)
IN ===> (identity)
Notes:
- If a value is given for any one of PW, VPW, or ACCT,
then a value is required for LIKE.
- If a value is given for either PW or VPW,
then a value is required for both of them.
- BUILD and IN fields can be used for subconfigs only.
- If a value is given for either BUILD or IN
then a value is required for both of them
 
5741-A09 (c) Copyright IBM Corporation 1979, 2018.
1= Help 2= Prefix Operands 3= Quit 5=Submit 12=Cursor
4. After entering the name of the VM, press PF5. You receive the messages that are shown in Example 4-35.
Example 4-35 DirMaint Output
PUN FILE 0013 SENT TO DIRMAINT RDR AS 0037 RECS 0013 CPY 001 0 NOHOLD NOKEEP
DVHXMT1191I Your ADD request has been sent for processing to DIRMAINT at
DVHXMT1191I ITSOZVM1.
Ready; T=0.07/0.08 08:51:11
DVHREQ2288I Your ADD request for USERBOB at * has been accepted.
DVHBIU3450I The source for directory entry USERBOB has been updated.
DVHBIU3424I The next ONLINE will take place immediately.
DVHDRC3451I The next ONLINE will take place via delta object directory.
 DVHRLA3891I Your DSATCTL request has been relayed for processing.
 DVHRLA3891I Your DSATCTL request has been relayed for processing.
 DVHRLA3891I Your DSATCTL request has been relayed for processing.
 DVHRLA3891I Your DMVCTL request has been relayed for processing.
 DVHRLA3891I Your DMVCTL request has been relayed for processing.
 DVHBIU3428I Changes made to directory entry USERBOB have been placed
DVHBIU3428I online.
DVHBIU3450I The source for directory entry USERBOB has been updated.
DVHBIU3424I The next ONLINE will take place immediately.
DVHDRC3451I The next ONLINE will take place via delta object directory.
 DVHRLA3891I Your DSATCTL request has been relayed for processing.
 DVHRLA3891I Your DSATCTL request has been relayed for processing.
 DVHRLA3891I Your DSATCTL request has been relayed for processing.
 DVHRLA3891I Your DMVCTL request has been relayed for processing.
 DVHRLA3891I Your DMVCTL request has been relayed for processing.
 DVHBIU3428I Changes made to directory entry USERBOB have been placed
DVHBIU3428I online.
DVHREQ2289I Your ADD request for USERBOB at * has completed; with RC
DVHREQ2289I = 0.
If you run rac lu and dirm for userbob get nolock, you find that the VM is defined. The rac lu output is shown in Example 4-36.
Example 4-36 RACF List User (RAC LU) command output
rac lu userbob
USER=USERBOB NAME=UNKNOWN OWNER=DIRMAINT CREATED=19.179
 DEFAULT-GROUP=SYS1    PASSDATE=00.000 PASS-INTERVAL= 30 PASSPHRASEDATE=N/A
 ATTRIBUTES=NONE
 REVOKE DATE=NONE   RESUME DATE=NONE
 LAST-ACCESS=UNKNOWN
 CLASS AUTHORIZATIONS=NONE
 NO-INSTALLATION-DATA
 NO-MODEL-NAME
 LOGON ALLOWED   (DAYS)         (TIME)
 --------------------------------------------
 ANYDAY                         ANYTIME
  GROUP=SYS1     AUTH=USE      CONNECT-OWNER=DIRMAINT  CONNECT-DATE=19.179
    CONNECTS=   00  UACC=NONE     LAST-CONNECT=UNKNOWN
    CONNECT ATTRIBUTES=NONE
    REVOKE DATE=NONE   RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
 NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
Ready; T=0.01/0.01 08:54:10
When you add a minidisk to this user, the minidisk address is added to the RACF database as well. In this example, we ran the rac rlist command before and after adding a minidisk by using the DIRM AMD command. The results are shown in Example 4-37.
Example 4-37 RACF profile added for a DirMaint added minidisk
rac rlist vmmdisk userbob.191 auth
ICH13003I USERBOB.191 NOT FOUND
Ready(00004); T=0.01/0.01 08:54:49
. . .
<added minidisk using DirMaint AMDISK command>
. . .
rac rlist vmmdisk userbob.191 auth
CLASS      NAME
-----      ----
VMMDISK    USERBOB.191
 
LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING
-----  --------   ----------------  -----------  -------
00     USERBOB         NONE               NONE    NO
 
INSTALLATION DATA
-----------------
NONE
 
APPLICATION DATA
----------------
NONE
 
SECLEVEL
--------
NO SECLEVEL
 
CATEGORIES
----------
NO CATEGORIES
 
SECLABEL
--------
NO SECLABEL
 
AUDITING
--------
FAILURES(READ)
 
NOTIFY
------
NO USER TO BE NOTIFIED
 
USER      ACCESS   ACCESS COUNT
--------  ------   ------ -----
USERBOB   ALTER       000000
 
   ID     ACCESS  ACCESS COUNT  CLASS                   ENTITY  NAME
-------- -------  ------------ -------- ---------------------------------------
NO ENTRIES IN CONDITIONAL ACCESS LIST
Ready; T=0.01/0.01 08:55:18
 
Note: The values for the universal access and audit properties of the created minidisk resource profile are set in the RACF_RDEFINE_VMMDISK_DEFAULTS parameter in the CONFIGRC DATADVH file. You can also set the default access level that is given to the owner of a disk by using the RACF_DISK_OWNER_ACCESS parameter.
Similar parameters exist for the other resource types that are managed by the DirMaint-RACF connector.
Adding virtual machines without DirMaint
If you decide not to use the DirMaint product on your system, an automated process is available that also updates the RACF database. This method is not as automated as the use of the dirm add command, but it might be suitable for your installation.
You use the same processes that you use to build the initial RACF database. The processes are the RPIDIRCT and RPIBLDDS execs. These processes can be completed from the MAINT VM because MAINT can write to the CP directory (and accesses the USER DIRECT file that is found on the PMAINT 2CC disk).
Complete the following steps:
1. Add the new user to the USER DIRECT file (see Figure 4-10).
Figure 4-10 USER DIRECT on the 2CC disk
2. Put the directory online with the directxa command after you copy the directory entry for the new user to the user ID DIRECT A file.
Now, the new VM is added to the system directory. However, if you attempt to log on to the VM, the attempt fails (as shown in Example 4-38) because the VM is not defined in the RACF database and you are no longer deferring the request to CP.
Example 4-38 Log on to USERBOB
logon userbob
HCPLGA050E LOGON unsuccessful--incorrect userid and/or password
Enter one of the following commands:
LOGON userid (Example: LOGON VMUSER1)
DIAL userid (Example: DIAL VMUSER2)
MSG userid message (Example: MSG VMUSER2 GOOD MORNING)
LOGOFF
3. Update the RACF database with information about this VM. To do so, link and access the 651 disk that is owned by 7VMRAC10. You need this disk because that is where the RPIDIRCT and MDisk 505 where RPIBLDDS execs are stored.
4. Run the RPIDIRCT EXEC against the USERBOB DIRECT file (see Example 4-39) to generate an RPIDIRCT SYSUT1 file.
Example 4-39 Run RPIDIRCT
rpidirct userbob direct
USERBOB DIRECT Filemode defaulted to "*".
Output defaulted to "A" disk.
Default group ID = SYS1.
Would you like to change this default?
Enter Y/N
n
Default group ID = SYS1.
 
****************************************************************
DEFINITION pass begins......
****************************************************************
 
USER USERBOB XXXXXXXX 32M 100M BCDG
INCLUDE IBMDFLT
MDISK 191 3390 30049 1 ZA0L01 MR READ WRITE MULTIPLE
Missing ACIGROUP for userid USERBOB - Defaulted to SYS1
****************************************************************
DEFINITION pass complete - PERMIT command generation begins...
    NOTE: This EXEC will  “PERMIT” only up to 4 indirect  LINKS
****************************************************************
processing LINK TCPMAINT 592 592 READ for user USERBOB
*** Cannot PERMIT TCPMAINT 592 for Userid USERBOB - no Minidisk
**********   scan ended   **********
**********  7 Directory records processed *********
*************** RPIDIRCT SYSUT1 CREATED **************
The generated RPIDIRCT SYSUT1 file is shown in Figure 4-11.
Figure 4-11 New RPIDIRCT SYSUT1 file
RPIDIRCT did not process the LINK statement in the user definition (see the Cannot PERMIT message in the output of RPIDIRCT, and the missing PERMIT for TCPMAINT 592 in the RPIDIRCT SYSUT1 output). This issue appears to occur because RPIDIRCT includes support for resolving indirect minidisk links, which adds the PERMIT for the actual resource correctly. It does this by creating an index of all minidisks that are defined in the provided directory listing so that it can dereference indirect links. When working with a full directory, this process works as designed, but it fails with a single user’s directory entry.
This issue can be resolved by using one of the following methods:
 – Add a directory fragment to the userid DIRECT file defining the other user and its minidisk. In this example, we add the following two lines to USERBOB DIRECT to have RPIDIRCT correctly build the required PERMIT command:
USER TCPMAINT NOLOG
 MDISK 592 3390 1 1 ABC123 MR READ
The extent that is defined on this MDISK statement was irrelevant; it only needed to be present to allow RPIDIRCT to build the required PERMIT for USERBOB.
 – Manually add PERMIT commands to the RPIDIRCT SYSUT1 file in response to any Cannot PERMIT messages.
As a preferred practice, use the latter approach. Although having the utility create the correct PERMIT automatically is convenient, the directory fragment that is needed to create this PERMIT adds a full set of RACF commands to RPIDIRCT SYSUT1 for that other user.
You must manually remove all those other commands to run RPIBLDDS error-free. The issue is compounded if the user you are adding has links to minidisks of many users. All of the other users and their minidisks must be defined in directory fragments, and many unnecessary commands must be cleaned up from RPIDIRCT SYSUT1.
In this example, we manually add the appropriate PERMIT to the end of the RPIBDIRCT SYSUT1 file to allow the directory link.
5. Run the RPIBLDDS exec by using the new RPIDIRCT SYSUT1 file and update the RACF database with the commands that are shown in Figure 4-12.
Figure 4-12 Run RPIBLDDS
6. Run the rac lu command to check how the user is defined to RACF. In this example, we found that the result looked the same as that achieved by using the DirMaint-RACF connector (shown in Example 4-36 on page 92).
4.3.4 Securing your minidisks with RACF
You can use RACF to control who can link the minidisks by using profiles in the VMMDISK resource class. z/VM calls RACF for an authorization check when a user tries to link another user’s minidisk. All devices in z/VM except users and groups are considered to be general resources in RACF. Therefore, defining profiles in RACF for resources other than users and groups is done by using the RACF command RDEFINE.
You can protect resources by defining the following profiles:
Discrete
Generic
Discrete profiles are used to protect explicitly a single resource. For example, if a resource requires special access authorization or unique logging information, you can protect it with a discrete profile, as shown in Example 4-40.
Example 4-40 Protect MDisk 191 with a discrete profile
RDEF VMMDISK edi.191 uacc(none) own(edi)
 
Note: IBM provides the DirMaint-RACF connector, which defines RACF profiles whenever a change is made to your directory by using DIRM commands. This process is done if a user is added or deleted, for example, and when adding minidisk definitions to virtual guests. However, the DirMaint-RACF connector creates discrete profiles only, which provides a basic security implementation and makes sure that resources are protected.
However, in many installations, the preferred way to protect resources is by defining generic profiles. Generic profiles must contain one or more generic characters. This method might be the best way to protect all resources of the same type of a certain user by defining only one or two profiles.
 
Note: Consider the following points:
Valid generic characters are %, *, and **.
Specify % in profile names to match any single non-blank character on the same position of the resource name.
Specify * or ** in the profile name to match more than one single character in the same position of the resource name.
For more information, see Chapter 6, “Defining Resources”, in z/VM RACF Security Server Security Administrator’s Guide, SC24-6218.
You also can choose to grant permits to groups rather than users. Defining groups to the RACF database is a way to reflect definitions and permissions to your businesses organizational structure and your security policy. It also gives you more flexibility.
Therefore, you might (as shown in the following examples) insert groups into the ID keyword of the RACF PERMIT command rather than single user IDs. If a user then newly joins a specific organizational unit (that is, the DBADMN unit), connecting this user ID to the defined group provides the user with all the access rights the user needs to do the work.
For more information about the advantages of the use of this group permission rather than user permissions, see “Advantages of using groups” on page 99.
For more information about RACF group structure and security objectives, see Chapter 2, “Organizing for RACF Implementation”, in z/VM RACF Security Server Security Administrator’s Guide, SC24-6311.
 
Note: If you decide to use generic profiles for class VMMDISK, genlist this class. Run the following command:
SETROPTS GENLIST(VMMDISK)
This command causes one copy of each generic profile for the VMMDISK class to be kept in the RACFVM service machine. Changes that are made to generic minidisk profiles are not reflected until a SETROPTS refresh command is issued, as shown in the following example:
SETROPTS GENERIC(VMMDISK) REFRESH
Linux for IBM System z® guests often must have many database volumes that are attached to their VMs and volumes that are of the same kind and protection level needs. This configuration can be done by defining profiles, as shown in Example 4-41 and Example 4-42.
Example 4-41 Protect database volumes with a generic profile
RDEF VMMDISK LNX1.* UACC(NONE) OW(LINX1)
Example 4-42 Permit access to a database volume by using a generic profile group access list
PERMIT LNX1.* CLASS(VMMDISK) ID(DBADMN) ACC(UPDATE)
If your system MDisks should not be updated by DBADMN but by SYSPROGS group, and the virtual addresses of these types of minidisks start with 20, use the commands that are shown in Example 4-43 on page 99.
Example 4-43 Generic profile and group permission example
RDEFINE VMMDISK LNX1.20* uacc(none) ow(LINX1)
PERMIT LNX1.20* CLASS(VMMDISK) ID(SYSPROG) ACC(UPDATE)
Advantages of using generic profiles
The use of generic profiles includes the following advantages:
The number of profiles in the RACF database is reduced significantly.
No RACF administrator action is needed when MDisks are added or removed.
The principle of least privilege is met.
A good overview of the security setup in your RACF database occurs, which might be helpful when showing security concepts to auditors.
This principle can be used for almost all of the general resource profiles except VMLAN VSWITCH devices.
Advantages of using groups
The use of groups includes the following advantages:
Access lists in resource profiles include fewer entries.
Changes in your companies business organization can be easier reflected in permission structures.
If people change departments in your organization, accesses are easily withdrawn and granted by removing them from a group and connecting them to another group.
RACF-DB is provided with a structure that is adopted to your business needs.
They are a good overview of the security setup in your RACF database.
4.3.5 Securing guest LANs and virtual switches with RACF
RACF can be used to protect VLANs and virtual switches by using profiles in the VMLAN class. After defining the appropriate profiles, be sure to activate your VMLAN class by running the following command:
SETROPTS CLASSACT(VMLAN)
The VMLAN class contains the following sets of profiles to protect LANs:
Base profiles control the ability of a z/VM user to use a LAN.
VLAN-ID qualified profiles are used to assign a user to one or more IEEE VLANs.
Base profiles
Base profiles are called userid.name, where userid is the LAN owner and name is the name of the LAN. Both qualifiers are a maximum of 8 characters. In the case of a VSWITCH, userid is always SYSTEM. These profiles control the authorization and auditing of attempts by any user to COUPLE to a guest LAN of virtual switch. A user must have UPDATE access to the profile to be authorized for the COUPLE command.
VLAN-ID qualified profiles
Two types of virtual switches are available: user-based and port-based. The default is user-based. Access to the virtual switch is on a user ID basis. All ports for a guest have the same attributes and VLAN IDs.
If a virtual switch is VLAN-aware (which is done by setting the VLAN defvid parameter), a secondary set of VLAN ID-qualified VMLAN profiles are used to control the ability of user IDs to connect to a particular IEEE VLAN. Profiles of this type are named SYSTEM.name.vid, where name is the name of the virtual switch and vid is a VLAN ID of the value 1 - 4096, inclusive. In this case, the vid must consist of 4 digits.
A user who wants to connect to a virtual switch of this type must have UPDATE access to the qualified profile. The VLAN-Id qualified profiles are checked only if the user has UPDATE access to the base profile protecting the virtual switch.
 
Note: Consider the following points:
VLAN-Id qualified profiles must be discrete; generic profiles are ignored.
Global access checking cannot be used for VLAN ID-qualified profiles.
For more information about protecting VLAN resources, see Chapter 10, “Protecting z/VM Resources”, of z/VM RACF Security Server Security Administrator’s Guide, SC24-6218.
Base profiles control the ability of a guest to connect to the LAN (automatically through the directory NICDEF statement or by using the CP COUPLE command), and VLAN-ID qualified profiles to control access to specific VLANs on IEEE VLAN-aware virtual switches. To couple to a guest LAN or a virtual switch, a user must have UPDATE access to the profile.
For example, to control access to guest LAN NET100, which is owned by klausm, you must define the profile that is shown in Example 4-44.
Example 4-44 Authorize virtual guest LNX01 to couple to a LAN
RDEF VMLAN EDIALVES.NET100 UACC(none) OWNER(EDIALVES)
PERMIT EDIALVES.NET100 CLASS(VMLAN) ID(LNX01) ACC(UPDATE)
For more information about guest LANss and virtual switches, see z/VM Connectivity SC24-6267.
For IEEE VLAN-aware virtual switches, the mechanism to get access is much the same, although the profile looks different. For this type of virtual switch, you must define the VLAN-ID in the protecting profile. Profiles of this type are set up as SYSTEM.name.vid, where name is the name of the virtual switch and vid is a VLAN ID having a value 1 - 4094, inclusive.
The vid qualifier must consist of four decimal digits, and leading zeros must be entered for VLAN IDs with fewer than 4 digits.
In Example 4-45, a user-based virtual switch named VSWINT (virtual switch for internal use only) is defined. Also, the VLAN IDs 10 and 20 are assigned to different user IDs (which can be group IDs). In this example, VLAN ID 10 is used by the segment NETADMINS and VLAN ID 20 is used by LNXBANK (Linux guests for running a banking application).
Example 4-45 Defining the base profile
RDEFINE VMLAN SYSTEM.VSWINT UACC(NONE)
PERMIT SYSTEM.VSWINT CLASS(VMLAN) ID(NETADMN LNXBANK) ACC(UPDATE)
RDEFINE VMLAN SYSTEM.VSWINT.0010 UACC(NONE)
PERMIT SYSTEM.VSWINT.0010 CLASS(VMLAN) ID(NETADMNS) ACC(UPDATE)
RDEFINE VMLAN SYSTEM.VSWINT.0020 UACC(NONE)
PERMIT SYSTEM.VSWINT.0020 CLASS(VMLAN) ID(LNXBANK) ACC(UPDATE)
VLAN accesses can be separated from each other by using this method.
Accessing multiple VLANs from a guest
z/VM Virtual Switch supports access ports (where the guest is VLAN-unaware and the VSWITCH handles all VLAN tagging) and trunk ports (where the guest must be VLAN-aware and process its own VLAN tagging).
Without RACF, access to VLANs is controlled by the GRANT option of the CP SET VSWITCH command (MODIFY VSWITCH in SYSTEM CONFIG). For a specific user, a set of VLANs can be granted on a VSWITCH by listing them in the VLAN parameter. If more than one VLAN is specified, the PORTTYPE parameter must also be set to TRUNK. If a list of VLANs is given but PORTTYPE ACCESS is used, an error occurs, as shown in Example 4-46.
Example 4-46 SET VSWITCH GRANT with multiple VLANs and PORTTYPE ACCESS
set vswitch vlantst grant tcpip vlan 10 20 30
HCPSWS2847E PORTTYPE ACCESS is not allowed when the user is authorized
HCPSWS2847E for more than one VLAN
With RACF in place and the VMLAN class active, SET VSWITCH GRANT is not used. Instead, when a user network interface card (NIC) attempts to connect to a VSWITCH that is VLAN-aware, CP requests the list of all profiles to which the user has permission. If this list returns more than one VLAN profile, CP treats this the same as multiple VLAN numbers on the SET VSWITCH GRANT VLAN option and expects the PORTTYPE to be TRUNK.
This behavior can create unexpected results when you are using group-based access management, as described in 4.3.4, “Securing your minidisks with RACF” on page 97. You might want all of a set of Linux systems to belong to a particular group for DASD management, for example, but if they attach to different VLANs on a VSWITCH, you cannot use the same group for VLAN management. Use different group structures for different resource types to allow for different access mappings between those resource types.
SYSSEC considerations of guest LANs
The SYSSEC macro, which is coded in the RACF module HCPRWA, can influence the final result of resource requests in the VMLAN class. If a VLAN is not protected by a RACF profile and if RACF is active on the system, SYSSEC can be coded to let RACF perform one of the following tasks:
Allow access
Deny access
Defer access decision to a z/VM
To check the settings of your SYSSEC macro and for more information about the SYSSEC macro, see z/VM RACF Security Server Macros and Interfaces, SC24-6309.
4.3.6 Labeled security and mandatory access control
RACF supports the use of security labels, which allows an installation to implement a security policy that employs mandatory access control (MAC). Standard RACF profiles and ACLs are a form of discretionary access control (DAC), where individual resources are protected explicitly by the ACLs that are defined in their profile. MAC uses security labels to classify users and resources into security zones and classify access to those zones.
 
Note: z/VM 6.4 with RACF and security labels in place was evaluated against the Common Criteria Labeled Security Protection Profile (LSPP). The evaluated configuration received an Evaluation Assurance Level of EAL4+. z/VM V7.1 is designed to comply with the same Common Criteria requirements as were successfully evaluated for z/VM V6.4.
For more information about the evaluated configuration, see Secure Configuration Guide for z/VM, SC24-6323.
Using labeled security
Labeled security is implemented in RACF for z/VM by using the SECLABEL class. RACF Security Server Security Administrator’s Guide, SC24-6311 describes the use of security labels in achieving a security model employing MAC. In addition, the specific implementation of security labeling that was used in the evaluation of z/VM 7.1 against the LSPP can be found in Secure Configuration Guide for z/VM, SC24-6323. Either of these documents provide thorough examples about how to use the SECLABEL class in RACF for MAC.
Labeled security does not provide a more secure system. In fact, it can be argued that the use of MAC alone provides less security over individual resources. The reason this is the case is that MAC does not focus on the specific resources in a configuration, but rather on the categories and zones to which the resources belong. Instead of permissions being granted to specific discrete resources (as happens in a DAC model), permissions are granted across the security zone with MAC.
SECLABEL and Linux virtual machines
In the case of a Linux on z/VM environment, the use of MAC might result in individual Linux VMs accessing a wider set of resources than DAC. For example, suppose that SECLABEL was used to protect the disks that are attached to a set of database server guests. The data that is contained in these databases is assessed as being at the same security level, so all of the database minidisks get the same label applied and the Linux guest IDs are assigned that label. Now, where before in a DAC model each server had access to its own disks only, the use of MAC alone means that any of these servers can access any of the database disks.
Combining DAC and MAC
MAC can bring a higher level of security to a Linux on z/VM configuration. In our example configuration, a set of database servers holds sensitive customer data and another set of database servers with less sensitive data. These database servers are allocated with the appropriate SECLABELs that reflect the different security zones of the data under management.
Now, suppose a malicious system administrator (with sufficient authority to manage discrete resource profiles for the Linux guests) wanted to access sensitive data by using one of the servers with less stringent controls. This operator issues PERMIT commands to allow a less secure server to access physically the sensitive data disks. In a system with DAC alone, this change is all that is required for the less secure server to link the disks and access the data.
When MAC is active, the request is rejected regardless of the discrete PERMIT commands because the SECLABELs of the servers and minidisks do not allow the access. In this way, SECLABELs provide an extra layer of security protection.
 
Note: Implement MAC that uses the RACF SECLABEL class as another security protection over and above standard DAC rather than as a security model in its own right.
4.3.7 Backing up the RACF database
The default configuration of RACF provides a primary and a backup database. As supplied, RACFVM uses a data set that is called RACF.DATASET (which is on the virtual device 200) as its primary database, and a data set called RACF.BACKUP (which is on the virtual device 300) as its backup database. Also, RACFVM keeps the backup database up to date with changes that are made to the primary database (except for the recording of statistics). These specifications are set in the RACF database name table (ICHRDSNT). RACF for z/VM comes with a default ICHRDSNT that defines these settings.
The RACF primary and backup databases are accessed from the time RACFVM starts. This configuration allows RACFVM to keep the backup in-step with the primary, and allows the active database to be switched if needed. However, it makes it slightly more difficult to make a copy of the database because a RACF database must be copied only when it is not active.
For most installations, the backup copy of the database as kept by RACFVM might not be sufficient. It does not protect the database from being lost if a disk subsystem is lost or a disaster occurs, for example. Every installation of RACF should implement a method to back up the database, and keep that backup separate from the running system.
Making an extra backup
RACF Security Server System Programmer’s Guide, SC24-6312 provides examples about how to use the RACF database utilities IRRUT200 and IRRUT400 to perform backups of RACF databases. This scenario is based on an IRRUT400 example entitled “Copying a RACF database to a larger volume without shutting down the RACFVM server” from z/VM: RACF Security Server System Programmer's Guide, SC24-6312.
 
Note: Make this kind of backup during a period of as little system activity as possible.
Complete the following steps:
1. Log on to the RACMAINT user.
2. Send a message to RACFVM to detach the F200 and F300 disks so that RACMAINT can link to them.
3. Link to the F200 disk of RACFVM (the original supplied RACF database primary disk) as a staging area for the backup.
4. Because IRRUT400 requires system CMS to run, perform an IPL of the CMS saved system.
5. Run RACUT400 to copy the database.
Example 4-47 shows these steps.
Example 4-47 Use IRRUT400 to back up the RACF database
SEND CP RACFVM DET F200 F300
Ready; T=0.01/0.01 16:29:45
LINK RACFVM F200 400 W
Ready; T=0.01/0.01 16:29:55
IPL CMS
z/VM V7.1.0 2019-06-13 16:18
DMSACP723I D (192) R/O
DMSACP723I B (305) R/O
DMSACP723I T (190) R/O
DMSACP725I 190 also = S disk
Ready; T=0.01/0.01 17:04:33
RACUT400
This exec is used to Split/Merge or Create a copy
of a RACF data base.
Press Enter to continue....
<Enter>
 
Do you wish to SPLIT a RACF data set into multiple extents?
or
Do you wish to MERGE multiple RACF data sets into 1 or more extents?
or
Do you wish to COPY one RACF data set into another extent?
Enter SPLIT or MERGE or COPY or QUIT
copy
 
A single Racf Data set is to be copied to another extent.
Enter the single input device address
200
 
Enter the single output device address
400
 
DMSACC724I 200 replaces R (200) - OS
DMSACC723I R (0200) R/W - OS
DMSACC724I 400 replaces X (400) - OS
DMSACC723I X (0400) R/W - OS
The following are the Input Racf Data Set(s)
"RACF.DATASET" (vaddr = 200)
The following are the Output Racf Data Set(s)
"RACF.DATASET" (vaddr = 400)
Do you wish to continue?
Enter YES or NO
yes
 
You will now be prompted for Input Parameters to 'IRRUT400'
A series of panels containing a full description of these Parameters
can be viewed by entering HELP
 
Enter HELP for a description of input Parameters
or
Enter CONT to continue without the Parameter description
or
Enter QUIT to terminate
cont
 
Enter Input Parameter one at a time for 'IRRUT400'
or
Enter END to use default values
nolockinput
 
Enter Next Parameter for 'IRRUT400'
or
Enter END to specify end of input
or
Enter QUIT to terminate.
end
 
Processing begins
All output will be placed in the 'UT400 OUTPUT' file on the 'A' disk.
Program 'IRRUT400' is being executed - Please wait -
 
Processing completes
Return code from 'IRRUT400' = 0
The primary RACF database is copied to the RACFVM F200 disk. You can now perform other operations on this copy, such as reporting or making further backups by using DDR or other facilities.
Using the RACUT200 and RACUT400 tools
The RACUT200 and RACUT400 execs that start the RACF utilities are sensitive to the types of disks that are used. It also makes assumptions about the type of device to expect based on the device addresses used.
In this example, when we attached the F200 minidisk by using F200 as the virtual device address, the device address was rejected by the utility as invalid. Only the common device addresses that are used for RACF database minidisks (200, 300, and 400) are accepted by the tools.
When we attempted to perform the copy that is shown in Example 4-47 on page 103 by using the full-pack minidisk that is attached at 200 and the F200 minidisk that is attached at 300, the utility failed with a message saying the output data set is invalid. It seems that safety checks exist that are built in to the utilities.
If you use the 200 and 300 devices, the utilities seem to treat them as through they should be the pair of RACF primary and backup disks, and check the data set names to be as expected. In our case, the real 200 disk and the F200 disk have the data set name RACF.DATASET, and this issue caused the utility to fail. Attaching the F200 minidisk at 400 instead worked well because the utility makes no assumptions about the name of the data set that should appear at device 400.
4.3.8 RACF recovery options
If a system availability issue occurs, it might be necessary to recover RACF data from a backup. Circumstances also might exist that prevent the RACFVM server from starting.
This section introduces some basic methods to use to perform recovery of RACF.
 
Note: For more information about the recovery procedures for events that can compromise RACF operation and about RACF recovery or for any other specific scenarios, see Chapter 7, “Recovery procedures” of z/VM V7.1 RACF Security Server System Programmer's Guide, SC24-6312.
Recovery of the RACF primary database
If the RACF primary database is unavailable or in error, the following options are available:
If the backup database is valid, you can use RACUT200 to copy the valid backup to the primary volume.
If no backup exists, you can restore the most recent memory dump of the database by using a DDR or RACF utility.
We describe a scenario in which we must recover the RACF primary database disk from the backup we took by using the procedure that is described in “Making an extra backup” on page 103.
If RACF cannot start
RACF includes an operation mode called failsoft processing that it adopts if no primary databases are available. In failsoft processing, if RACF cannot authorize an access request by using in-memory tables, it prompts the operator for a decision on the access request.
 
Note: For SSI, it is required that the RACF database is shared between the members of an SSI cluster. For more information about DASD sharing, see the Sharing RACF Databases in a z/VM Single System Image Cluster section of z/VM: RACF Security Server System Programmer's Guide, SC24-6312, and z/VM: CP Planning and Administration, SC24-6271.
 
 
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.21.106.7