On Thu, 23 Oct 2008 12:34:36 -0500, Mike Feeley <[EMAIL PROTECTED]> wrote:
>OK, here is a recap. Commands routed to all LPARS will work if they are issued >from the RACF LPAR. The command will fail (only on the RACF LPAR) if issued >from a Top Secret LPAR. This all boils down to the ENVRIN data. Top Secret >has a way to deal with it and RACF does not. Just so you're aware, you've made some assumptions there: (1) You've assumed that Top Secret is dealing with it correctly and in a way that will work in all circumstances. One key requirement is that there never be I/O or serialization required to create a working security environment (e.g., ACEE) to handle the RACROUTE REQUEST=AUTH for an OPERCMDS check. I don't know that they're not doing it correctly, but I also do not know that they are in fact handling this mixed environment correctly, either, with respect to this requirement. And you might never know until you hit one of the rare cases where this requirement really matters. (1a) Also, and just for my own curiosity, have you tried routing a command from a RACF system to a Top Secret system where the user does not have appropriate authority to issue the command on the Top Secret system? Does it really fail in that case? And does it have the user ID correct? Also, have you tried with commands from both MCS and EMCS consoles? (2) You've assumed that Top Secret (and ACF2) are providing enough information that RACF would be able to handle the request, if we still had a way to ensure (1). In at least some cases I know of, at least one of them isn't providing any security information on the routed command. That's part of my curiosity in (1a), as I've heard a lot of people say "the commands work" but I've never known if anyone has confirmed that there's any security processing happening at all on the receiving system when the security product isn't RACF. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
