IBM zSecure – How to Setup RACF Offline

17th December 2019 Rui Miguel Feio RACF Offline, Tech - Mainframe, zSecure

IBM zSecure RACF Offline gives you the ability to create a RACF “play” area where you can not only validate the syntax of RACF commands, but also, in conjunction to zSecure Access Monitor data, simulate the impact of RACF changes to your mainframe environment.

The purpose of this article is to provide the instructions on how to setup IBM zSecure RACF Offline on your mainframe.

There are two datasets for IBM zSecure RACF Offline:

  1. SB8RLNK – must be APF authorised and optionally also link listed to avoid using STEPLIB
  2. SB8SAMP – JCL sample library

In a nutshell to setup your IBM zSecure RACF Offline environment you need to implement the following steps:

Step 1 – Build default options module B8RJOPT (optional)

  • Use job B8RJOPT from SB8RSAMP library:
    • Default resource class should be XFACILIT
    • Optionally you can also setup:
      • The default RACF databases
      • The default LOG datasets
      • The SMF processing options
  • If you do not run this job, RACF Offline will use the default resource class, and will not use a default RACF database.
  • Note that you can specify the RACF offline on the job or when you invoke TSO B8RACF.

Step 2 – Add library to APF and Linklist

  • Add dataset SB8RLNK to APF List
  • Add dataset SB8RLNK to Linklist

Step 3 – Setup PARMLIB memnet IKJTSOxx (optional)

  • Add command B8RACF to the AUTHCMD list in IKJTSOxx.
  • Dynamically update IKJTSOxx:
    • Use the TSO PARMLIB UPDATE(xx) command to activate the changes
    • or, alternatively, issue the MVS command: /SET IKJTSO=xx

Step 4 – SMF Exits

  • Enable the following exits for the entire system or for the relevant subsystems: 
    • IEFU83
    • IEFU84
    • IEFU85
    • Example:
      • SYS(NOTYPE(40,42,99),EXITS(IEFU83,IEFU84,IEFU85,IEFACTRT,IEFUSI,IEFUJI,IEFU29),NOINTERVAL,NODETAIL)SUBSYS(STC,NOTYPE(40,42,99),EXITS(IEFU29,IEFU83,IEFU84,IEFU85))
  • If the SMF exits are not enabled, SMF records created for commands updating the Offline RACF database will seem to modify the System RACF database. That is, the SMF ID on records modified in the Offline RACF database will be the same as it is for records modified in the RACF database.

Step 5 – RACF Security

  • Use job B8RJRDF from SB8RSAMP library to setup RACF.
  • Example:
    • SETR GENERIC(XFACILIT)
    • SETR CLASSACT(XFACILIT)
    • RDEF XFACILIT B8R.** UACC(NONE) OWNER(owner-of-your-choice)
    • PE B8R.** CLASS(XFACILIT) ACCESS(UPDATE) ID(userid-of-the-tester)
    • SETR GENERIC(XFACILIT) REFRESH
    • SETR RACLIST(XFACILIT) REFRESH
  • Note that you will also need access to the RACF Offline database as well as the RACF live database.

Step 6 – Create RACF Offline database

  • Use job B8RJUT2 from SB8RSAMP to create the RACF Offline database.
  • Use job B8RJTST from SB8RSAMP as an example for running commands.

Step 7 – Enable IBM zSecure RACF Offline

  • To explicitly enable RACF Offline, add an entry such as the following one to the active IFAPRDxx PARMLIB member:
    • OWNER(’IBM CORP’)
      • NAME(’zSecure Admin’)
      • ID(5655-T01)
      • VERSION(*) RELEASE(*) MOD(*)
      • FEATURENAME(’RACF-Offline’)
      • STATE(ENABLED)
  • After updating IFAPRDxx, apply the updates by running the operator command /SET PROD=XX.
  • If RACF Offline is disabled, a message B8R106E is issued and processing stops.

Step 8 – Test IBM zSecure RACF Offline

  • To test IBM zSecure RACF Offline you can either use job B8RJTST in SB8RSAMP or issue TSO B8RACF

You should now have a workable IBM zSecure RACF Offline available. It is recommended that you generate a new RACF Offline database each time you want to simulate a change to your RACF environment.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.