Re: server pac install and RACFDRV
Yes, the RACF commands which come with ServerPac have the potential to reallty muck up things if you are not VERY Careful. I would very much like to see most every RACF command have an option something like EXEC(DISPLAY | IFNOTEXIST | EXEC) to allow : 1) Just display the thing(s) affected by the command 2) Only create if not already exist or active 3) Do it... (There might be other good options, but these come to mind). Or Perhaps a PARM on the executing program to do the same for the commands. This would allow you to mass change the EXEC( parm to get a better idea of how the RACFDRV commands compare to what you already have in place. Tim Brown tbr...@cenhud.com Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu 04/27/2010 05:32 AM Please respond to IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu Expire Date: 04/27/2012 To IBM-MAIN@bama.ua.edu cc Subject server pac install and RACFDRV As part of the server pack install a job called RACFDRV is run to modify the driving systems RACF. Back when we upgraded from 1.7 to 1.9 I first ran this on our test Z/OS to determine if would have any affect when we had to run it on our production system. Is this still best practice. Is there a way to run it in a way that updates are not performed but just checking what would be updated ? If it just adds definitions where necessary how would that prevent a production system fronm failing. Has anyone ever experienced a situation where it did cause problems. Tim Brown Systems Specialist - Project Leader Central Hudson Gas Electric 284 South Ave Poughkeepsie, NY 12601 Email: tbr...@cenhud.com mailto:tbr...@cenhud.com Phone: 845-486-5643 Fax: 845-486-5921 Cell: 845-235-4255 This message contains confidential information and is only for the intended recipient. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please notify the sender immediately by replying to this note and deleting all copies and attachments. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
server pac install and RACFDRV
As part of the server pack install a job called RACFDRV is run to modify the driving systems RACF. Back when we upgraded from 1.7 to 1.9 I first ran this on our test Z/OS to determine if would have any affect when we had to run it on our production system. Is this still best practice. Is there a way to run it in a way that updates are not performed but just checking what would be updated ? If it just adds definitions where necessary how would that prevent a production system fronm failing. Has anyone ever experienced a situation where it did cause problems. Tim Brown Systems Specialist - Project Leader Central Hudson Gas Electric 284 South Ave Poughkeepsie, NY 12601 Email: tbr...@cenhud.com mailto:tbr...@cenhud.com Phone: 845-486-5643 Fax: 845-486-5921 Cell: 845-235-4255 This message contains confidential information and is only for the intended recipient. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please notify the sender immediately by replying to this note and deleting all copies and attachments. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: server pac install and RACFDRV
Tim Brown wrote: As part of the server pack install a job called RACFDRV is run to modify the driving systems RACF. Back when we upgraded from 1.7 to 1.9 I first ran this on our test Z/OS to determine if would have any affect when we had to run it on our production system. Is this still best practice. Is there a way to run it in a way that updates are not performed but just checking what would be updated ? If it just adds definitions where necessary how would that prevent a production system fronm failing. Has anyone ever experienced a situation where it did cause problems. snip (Recoiling in only-sort-of-mock horror:) RACFDRV and RACFTGT are not really meant to be run, except by the ServerPac test team or customers who need to instantiate a new environment with a new security database and need something to get started with that will allow all the installation jobs to run. RACFDRV and RACFTGT are meant to be *sample* RACF definitions you can give to your RACF administrator so that the needed updates can be made to your security environment. Any number of problems could result from actually running these jobs on your system, and the prologs should say so (I know they did originally, because I wrote them). We did not (and still don't) have a good way to discover and understand your security policies so we can figure out what profiles to add to an existing set of security definitions without adding or subtracting authorizations that should not be added or subtracted. -- John Eells (ServerPac design alumnus) z/OS Technical Marketing IBM Poughkeepsie ee...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: server pac install and RACFDRV
I could see RACFDRV causing problems when it activates classes that otherwise might not have active. I pick out the new definitions needed from the RACFDRV and add those to the RACF database to suit the shop. Michael Saraco Systems Consultant 303-838-3374 x115 Cell 507-525-0530 From: Tim Brown tbr...@cenhud.com To: IBM-MAIN@bama.ua.edu Date: 04/27/2010 07:33 AM Subject:server pac install and RACFDRV Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu As part of the server pack install a job called RACFDRV is run to modify the driving systems RACF. Back when we upgraded from 1.7 to 1.9 I first ran this on our test Z/OS to determine if would have any affect when we had to run it on our production system. Is this still best practice. Is there a way to run it in a way that updates are not performed but just checking what would be updated ? If it just adds definitions where necessary how would that prevent a production system fronm failing. Has anyone ever experienced a situation where it did cause problems. Tim Brown Systems Specialist - Project Leader Central Hudson Gas Electric 284 South Ave Poughkeepsie, NY 12601 Email: tbr...@cenhud.com mailto:tbr...@cenhud.com Phone: 845-486-5643 Fax: 845-486-5921 Cell: 845-235-4255 This message contains confidential information and is only for the intended recipient. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please notify the sender immediately by replying to this note and deleting all copies and attachments. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: server pac install and RACFDRV
Tim we never run those jobs. However, we do prefix almost all of our SYSRES datasets with SYS1.*, so there is no introduction of any new HLQ's. Unless there are new STC's that need definitions, or other new FACILITIES, there are rarely any security changes needed. _ Dave Jousma Assistant Vice President, Mainframe Services david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G p 616.653.8429 f 616.653.8497 -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Tim Brown Sent: Tuesday, April 27, 2010 8:32 AM To: IBM-MAIN@bama.ua.edu Subject: server pac install and RACFDRV As part of the server pack install a job called RACFDRV is run to modify the driving systems RACF. Back when we upgraded from 1.7 to 1.9 I first ran this on our test Z/OS to determine if would have any affect when we had to run it on our production system. Is this still best practice. Is there a way to run it in a way that updates are not performed but just checking what would be updated ? If it just adds definitions where necessary how would that prevent a production system fronm failing. Has anyone ever experienced a situation where it did cause problems. This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: server pac install and RACFDRV
If the profile added is more specific than an existing profile, then existing users' access can abruptly change. I've seen this with PADS profiles (and, yes, there were production failures). Also, new resource profiles are sometimes added with UACC(READ) which is a audit hot button for some. As others have posted, the 'best practice' is to simply turn over the suggestions to your security folks. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Tim Brown Sent: Tuesday, April 27, 2010 7:32 AM To: IBM-MAIN@bama.ua.edu Subject: server pac install and RACFDRV ..snip If it just adds definitions where necessary how would that prevent a production system fronm failing. Has anyone ever experienced a situation where it did cause problems. Tim Brown Systems Specialist - Project Leader Central Hudson Gas Electric 284 South Ave Poughkeepsie, NY 12601 Email: tbr...@cenhud.com mailto:tbr...@cenhud.com Phone: 845-486-5643 Fax: 845-486-5921 Cell: 845-235-4255 NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: server pac install and RACFDRV
On Tue, 2010-04-27 at 10:55 -0400, Hal Merritt wrote: As others have posted, the 'best practice' is to simply turn over the suggestions to your security folks. Hrm. Well, in my place *I'm* the security folks. (And the systems guy. And the storage guy. And the IDMS DBA.) Dealing the problem to the RACFDRV Department of the company's Security Division isn't a luxury I have. I've spoken with John Eells offline about my use of RACFDRV/RACFTGT, and probably increased his level of heartburn. I use his jobs while remaking the RACF database when I install new releases. See, I don't do upgrades, but rather full installs, then rerun the HRF and RACFxxx jobs just before cutover. That might make some folks around here shake their heads, but it's a mechanism I understand and which seems to work in our small-potatoes environment. 'Best practices' is like 'one size fits all'. -- David Andrews A. Duda and Sons, Inc. david.andr...@duda.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: server pac install and RACFDRV
-Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of John Eells Sent: Tuesday, April 27, 2010 5:55 AM To: IBM-MAIN@bama.ua.edu Subject: Re: server pac install and RACFDRV Tim Brown wrote: As part of the server pack install a job called RACFDRV is run to modify the driving systems RACF. Back when we upgraded from 1.7 to 1.9 I first ran this on our test Z/OS to determine if would have any affect when we had to run it on our production system. Is this still best practice. Is there a way to run it in a way that updates are not performed but just checking what would be updated ? If it just adds definitions where necessary how would that prevent a production system fronm failing. Has anyone ever experienced a situation where it did cause problems. snip (Recoiling in only-sort-of-mock horror:) RACFDRV and RACFTGT are not really meant to be run, except by the ServerPac test team or customers who need to instantiate a new environment with a new security database and need something to get started with that will allow all the installation jobs to run. RACFDRV and RACFTGT are meant to be *sample* RACF definitions you can give to your RACF administrator so that the needed updates can be made to your security environment. Any number of problems could result from actually running these jobs on your system, and the prologs should say so (I know they did originally, because I wrote them). We did not (and still don't) have a good way to discover and understand your security policies so we can figure out what profiles to add to an existing set of security definitions without adding or subtracting authorizations that should not be added or subtracted. I think I ran it with the first serverpac we did, circa z/OS 1.4 jumping from OS390. I've also tried it on the sandbox, but results were not optimal :) Even out of the box it needs tailoring as we don't use IBMUSER for anchoring anything. I do think IBM could build on DBSYNC and develop an attempt to compare and suggest changes. I made such a suggestion on RACF-L when I was frustrated with RACxxx jobs in the z/OS 1.11 serverpac. Dave Gibney Information Technology Services Washington State University -- John Eells (ServerPac design alumnus) z/OS Technical Marketing IBM Poughkeepsie ee...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html