Front cover ABCs of IBM z/OS System Programming Volume 6 Security on z/OS RACF and SAF Cryptography Karan Singh Rui Feio Oerjan Lundgren Bob McCormack Rita Pleus Paul Rogers ibm.com/redbooks International Technical Support Organization ABCs of IBM z/OS System Programming Volume 6 August 2014 SG24-6986-01 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. Second Edition (August 2014) This edition applies to Version 1, Release 7 of z/OS (5694-A01), Version 1 Release 7 of z/OS.e (5655-G52), and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 2008, 2014. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix Authors. ix Now you can become a published author, too! . .x Comments welcome. xi Stay connected to IBM Redbooks . xi Chapter 1. Introduction to IBM z/OS security . 1 1.1 z/OS basic security facilities . 2 1.2 z/OS Security Server components . 4 1.3 Integrated Security Services . 5 1.4 Cryptographic Services . 6 1.5 Security Level 3. 8 1.6 IBM Tivoli Directory Server for z/OS . 8 Chapter 2. System Authorization Facility . 9 2.1 SAF overview . 10 2.2 SAF in detail . 12 Chapter 3. IBM z/OS Security Server RACF . 17 3.1 What is RACF? . 18 3.2 RACF functions . 19 3.3 RACF ISPF panel . 22 3.4 RACF profiles . 23 3.5 RACF commands . 25 3.6 User authentication . 27 3.7 Resource managers . 28 3.8 RACF classes . 30 3.9 Security administration with RACF . 31 3.10 RACF user identification and verification . 33 3.11 RACF user profile . 34 3.12 RACF user attributes. 36 3.13 RACF user segments . 38 3.14 RACF user ID and password . 41 3.15 Adding a new user to RACF . 43 3.16 Reset a user password . 44 3.17 Alter a user ID . 46 3.18 Change a user password interval . 47 3.19 Delete a user ID . 48 3.20 User-related RACF commands . 49 3.21 RACF groups . 50 3.22 RACF group structure example. 52 3.23 RACF group-related commands: Add a group . 53 3.24 RACF group-related commands: Alter a group. 54 3.25 RACF group-related commands: Delete a group . 55 3.26 Connect a user to a group. 56 3.27 Remove a user from a group . 57 © Copyright IBM Corp. 2008, 2014. All rights reserved. iii 3.28 Data sets and general resources . 58 3.29 More on profiles for data sets and general resources. 59 3.30 Data set profiles . 61 3.31 Defining data set profiles. 63 3.32 Data set profile access list . 65 3.33 Add a data set profile . 67 3.34 Alter a data set profile . 68 3.35 Search RACF database using a mask . 69 3.36 Data set-related commands . 70 3.37 Data set-related commands, continued . 71 3.38 General resources-related commands . 72 3.39 General resources-related commands, continued . 73 3.40 General resources-related commands, continued . 74 3.41 SET RACF system options . 75 3.42 Statistic-related options. 76 3.43 Password-related options . 78 3.44 Data set-related options . 80 3.45 Class-related options . 83 3.46 Authorization checking-related options . 86 3.47 Tape-related options . 88 3.48 RVARY and other options for initial setup. 90 3.49 RACF and auditing . 93 3.50 Auditor-related options . ..