SEARUG IS BACK ON-LINE By: George Fogg
It looks like SEARUG is alive again. Everyone that showed up to the last farewell party were reluctant to bid farewell to the user group--so, here we go again. They even decided I haven't had enough punishment and voted me into continuing as Prez.
The main topic of the meeting (besides the food) was the charter or structure of SEARUG. Here's what we came up with:
We also decided to hold one meeting per quarter on the second Wednesday of the 1st. month in the quarter and get the newsletter out two weeks prior to the meeting.
Meeting Summary:
It was a very positive and constructive get-together of sixteen people. Everyone had input on what SEARUG should be about and what it will take to make it successful. I got volunteers to hold meeting places, update the mailing list, and TMG (Technology Management Group) to continue being our sponsor which is a terminus help to our organization.
I believe SEARUG can be a success if everyone puts a little time into it. What we need, of course, is speakers. But little things such as articles, tips and tricks for using RACF, questions with answers, user experience tales, or whatever you may think that would be of interest to SEARUG members.
NEW FORMAT FOR THE NEWSLETTER
I'm going to add more spice to the newsletter by getting articles, tips and pointers, performance issues, a Question & Answer section, APAR , DOC, and PTA alerts plus the standard old-news new-news sections.
COPYRIGHT and TRADEMARKS
All Copyright and Trademarks are recognized by this author wherever they appear in any SEARUG Newsletter; hereforthwith, hereinafter, hereafter, herebeforewith, ad infinitum. (I'm too lazy to add TM and Copyright symbols whenever the words IBM or DB2 or RACF, etc. appear in the text but I respect their ownership and claims to said material)
NEXT MEETING MAY 10th, 1995
Site: Puget Power
Host: Mark Turner (206) 454-6363 Ex. 255
Address: 411 -108th Ave NE, Bellevue WA
Directions: Take the NE 4th exit off of I-405 in Bellevue. Head west (towards the Sun) to 108th. The building will be on the right. For more details, contact Mark Turner (above).
AGENDA: 1:00 PM RACF 2.1 and User Experiences by George Fogg
2:30 PM BREAK
2:45 PM Site Installation Questionnaire
Other SEARUG Issues, Q & A
4:30 PM Go have a BEER!
PRODUCTS OF INTEREST
Just a few months back, I ran into Howard Baker, the manager of RACF development. The first thing he said was "Hi George, have you tried out the RACF Productivity Edition on CD-ROM?" Not to look real stupid, I replied "not yet, but soon..." even though I didn't know what he was talking about. It was not long ago I had always expected CDs to have Mozart or the Stone Temple Pilots ingrained on them, not books. Anyway, when I got back to Seattle we put in an order to get the CD-ROM.
So, I recently had the pleasure to try out the IBM On-line Library Productivity Edition: RACF Information Package, SK2T-2180-00 which is a collection of manuals on CD-ROM to be viewed by using BookManager on DOS, OS/2, or Windows. It not only contains manuals on RACF but also includes all manuals that have RACF or security related material including CICS, IMS, DB2, DFSMS, MVS, OpenEdition, TSO, ISPF, APPC, and the Rainbow Collection (ITSO red and WSC orange books). In total, one has over 520 megabytes (well over 100 plus manuals) of text and graphic material to browse. The beauty of this is that all products that have any security information are contained on one CD-ROM.
Here's an example of it's usage: Ever hear of 'Dynamic APF Libraries"? This is a facility that appeared in MVS 4.3 to allow a user to dynamically add or delete a APF library either through a console command or use a MVS macro called "CSVAPF". The good news is that RACF is called before a library can be added or deleted from the APF list, but you won't find any information on how to protect these functions from unauthorized use in any RACF manual. It can be found in the MVS/ESA Planning: Operations manual which is included on the CD-ROM disk. I did a search of the word "CSVAPF" and found 18 different manuals the search word was found in--It was not found in any RACF manuals. You could search the entire CD-ROM for keywords such as "security" or "RACF" and get a list of all manuals and topics that relate to security. Security topics that would never appear in the RACF manuals such as this example illustrates. And don't take what I say as a slam dunk on the technical writers for RACF. I met these folks when I was back in NY and they are dedicated and concerned about what they produce for us customers. After all, they put this CD-ROM together.
What is missing on the CD-ROM are the LY or licensed material type of manuals such as the MVS and RACF Data Area manuals. I believe IBM lawyers are hashing out that problem and maybe someday they will be included in this package.
Since I'm a mainframe dinosaur, I was skeptical about reading manuals on a 17 inch monitor and loose the ability to scribble notes on paper pages. So I said to myself, "Self..at least take one step out of the dark ages and try it, it's not related to UNIX!" I like it but I'll compromise by keeping my trusty old paper RACF manuals and not order any other MVS books, although BookManager does have a NOTES facility just for people like me.
All the CD-ROM manuals are grouped into bookshelves. As an example, there's a bookshelf for RACF 2.1 which contains 13 manuals or 7.52 MB of text and graphics.. You open this bookshelf and get a list of all RACF 2.1 manuals. You can then start a search for a word or string of words such as "WHEN(TERMINAL)" and a search list is produced of all books and topics found that contained that search word. Another example is a bookshelf for MVS, one for DB2, CICS, etc.
Other features allow you to print a sentence, a topic, a chapter, or the whole book. Another feature allows one to select your own collection of manuals and create a custom bookshelf that contains the manuals selected. You can also copy topics to a file for later processing.
I have tried the OS/2 and Windows version of BookManager and was pleased with both, but I slightly favor the Windows version. It has more functionally and includes a tool bar and better print and search capabilities.
I believe this product will be shown at the RACF95 conference as it was at the last conference. TRY IT, you may like it! This old Jurassic MVS coder (or is that codger?) does.
HIPER APARS
Hiper APARS are documented problems of extreme magnitude that they are defined in a special category on IBMLink. I treat them as a flashing red light, telling me that IBM or a customer has found a problem that can cause major trouble. I must admit that not all Hipers are trouble alerts but most are. Hipers can be open or closed. Hiper APARS that are closed have a fix available from IBM (A fix is also known as a PTA. Some APARS may have more than one PTA to fix one or more modules in error).
Hipers for RACF 1.9.2 since 3/7/94
Hipers for RACF 2.1 since 1/1/95
QUESTIONS and ANSWERS
Q: How do I stop a user who owns a userid profile from changing that users password interval to "nointerval"?
A: There isn't any way to stop a user who owns a userid (owned either by a userid as the owner or a group owning the userid and the owning user has group-special in the group that owns a userid) without writing a password exit. As an example, the exit can determine and only allow a user with system special to be able to use the "nointerval" keyword in the Password command.
Q: How come I can't define a member name using the ADDMEM parameter on RDEF or RALT that has a dash "-" character? I wish to add a member name in a CICS class that has the same name as the transaction .
A: It's not documented anywhere, but the data in the ADDMEM parameter for a general resource Grouping class is validated using the Class Descriptor Table (CDT) entry for that class. So, for example, the rules in the TCICSTRN class would control the format of data used in the TCICSTRN class. By the way, this class would allow a dash character but a Site defined CDT may not. (See the FIRST= and OTHER= parameters for the ICHERDCE macro that defines a new CDT entry.)
PERFORMANCE UPDATE
Did you know that the IRRUT200 utility in RACF 2.1 uses IEBGENER to do a database copy? It's FAST. How fast you ask? It took well under a minute to copy a 75 cylinder database (used 1.07 CPU seconds).
The utility uses IEBGENER and puts a reserve on the volume while the copy takes place unless you are using data sharing then RACF uses an ENQ on the dataset name for serialization. After the copy, the reserve or ENQ is dropped then it does the reporting on inconsistencies and other options you may have requested on the "copied" or the work data set specified in the SYSUT1 DD statement. I ran this utility on one of our production systems in the middle of the day and nobody even noticed. (that I know of).
AUDIT and SYSTEM ADMINISTRATION CORNER
There are several additions made to MVS that relate to security administration and auditors that I think you need to be aware of, mainly because you won't find this in any RACF manual.
DYNAMIC APF LIBRARY FACILITY added in MVS 4.3
As I mentioned earlier on in this newsletter, one can now add, list, and delete APF libraries on the fly. Before this addition, it was only possible through a vendor product such as OMEGAMON or in-house written code. With MVS 4.3, one can perform dynamic APF library updates either through a MVS console command or using the authorized MVS macro "CSVAPF". On the positive side, the MVS developers did code in security checks to see if a user is authorized to do any of these dynamic APF functions. You can protect the console commands using the OPERCMDS class or/and protect the APF functions such as add or delete a APF library with CSVAPF.xxxxx profiles in the FACILITY class.
Without getting into details, see DOC APAR II06850 on IBMLink or have your IBM representative get a hard copy for you. It describes what RACF profiles are necessary to protect CSVAPF functions. You can also refer to the manual: MVS/ESA Planning: Operations; GC28-1441-00 .
DYNAMIC EXIT FUNCTION added in MVS 5.1
A new macro in MVS 5.1 called CSVDYNEX allows you to define exits and control their use dynamically, without an IPL. This is great news for us systems programmers who need to check out a new or modified exit on the fly. After testing a new exit you can then replace it with an old one or just plain delete it. If I put on my auditor hat, I just don't want any unauthorized person to hop on a system and delete or change exits whenever they wish. You may want to shut this functionally down or restrict its usage on your production systems.
There are three ways the dynamic exit facility is implemented in MVS:
1. The EXIT statement of the PROGxx parmlib member,
2. The SETPROG EXIT operator command,
3. The CSVDYNEX macro
You can protect the EXIT statement in the PROGxx parmlib member by a plain old RACF profile that covers the parmlib dataset. You can protect the SETPROG console command by defining a MVS.SETPROG.EXIT and MVS.SET.PROG.EXIT profile in OPERCMDS, and you can protect the functions of CSVDYNEX such as define, undefine, list, and change exit attributes with "CSVDYNEX." profiles in the FACILITY class. Documentation for protecting CSVDYNEX functions can be found in manuals MVS/ESA Planning: B1 Security; GC28-1440-00 or MVS/ESA Installation Exits; SC28-1495-00.
SEARUG on the Internet?
Yes folks, its true. There will be copies of our newsletter, as well as other articles and snippets of code available via the World Wide Web! Point your favorite web browser at the following URL:
http://www.wln.com/~ssabel/searug/searug.html
There may not be much out there at first, but we are looking at adding more all the time. If you have anything to add, send a note to Stuart Sabel at ssabel@tmg-usa.com.
That's It!
That's about all for now. I hope to see you at our next meeting at Puget Power on May 10th. If you have any questions, please give me a call at (206) 957-5574. Thanks.