On Thursday, 06/04/2009 at 11:24 EDT, "Ayer, Paul W" <[email protected]> wrote:
> Today we have many zVM systems to using RACF that are all stand alone > across our data centers. These zVM are to support our zLinux guests. > > Is there a way to have the RACF databases (adds, deletes, password > changes) kept in sync between all of the zVM's on our network? There is currently nothing that will synchronize z/VM RACF databases (a la RRSF), though you can synchronize user passwords with LDAP and a product such as IBM Tivoli Directory Integrator. I'm assuming that the z/VM systems are not close enough to share DASD, as it is ok for z/VM systems to share the RACF database with other z/VM systems. So that means replicating the database. Note, however, that you cannot just slide a new db under RACF. You need to take him down and up. The other alternative is automation. > We have been told that our zOS and zVM databases can not be connected at > all so we have not even looked into that. Has anyone done this? You can share a RACF database between z/VM and z/OS with the following caveats: - You can't build a long-term dependency on it. It is tactical only. - The z/OS system cannot be part of a Sysplex - Since systems aren't close enough for shared dasd, that means one companion z/OS system per z/VM system. - There's no such thing as a "free" z/OS system. - The z/VM audit trail has no record of any database change made from z/OS - The z/OS audit trail has no record of any database change made from z/VM - Operationally, you can't hide RACF on z/VM. SETROPTS and SETEVENT must be issued on the z/VM system and you have to processes RACF/VM's SMF records (the audit trail) - Having a z/VM user in the z/OS RACF database may provide unintended access to z/OS resources - Having a z/OS user in the z/VM RACF database may provide unintended access to z/VM resources ** Particulary w.r.t. remote access! ** - If z/OS introduces an incompatibility in the RACF database, your z/VM system is at risk - If z/VM introduces an incompatibility in the RACF database, your z/OS system is at risk - You can explain to management and auditors how the above makes things "better" for you and them For the above reasons, the Weasel-in-Chief of z/VM Security at IBM recommends AGAINST sharing the RACF database between z/OS and z/VM. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
