IBM Security Z Security

As we are migrating to RACF, our staff is converting our batch processes over so they will run under RACF or zSecure.     So they are replacing the job that creates a TSS CFILE, with one that creates a RACF Unload.  They are going to create a UNLOAD dataset but they are wondering the benefits of a RACF UNLOAD or a zSecure UNLOAD.   Any pointers I can give that team on using one or the other, or both?

Thanks

------------------------------
Linnea Sullivan
------------------------------

Short answer: Yes.

that is -- you should do both, and even more than that.

1) Backup your RACF Database at least once a day.
2) From the backup, you can create an unload.
3) From the unload, you should be able to load an image of your RACF DB into DB2 -- that allows you to write SPUFI and other SQL queries against things in your database, reports and the like.

Also, if you're using zSecure -- it can work against the RACF DB, but it can also work against copies of the RACF DB, and has its own Unload as well -- each of these have various usages. (and also a Freeze dataset against the rest of your system,).  zSecure can write reports and such in CARLa (did I capitalize that correctly?).  Some reports work better in DB2, others in CARLa.  zSecure also lets you set up "offline" copies of RACF -- where you can simulate executing commands Before you actually run them against the real DB.  (This becomes very helpful if you start collecting Access Manager data.)

The key thing is to make sure that you protect any physical full copies of the RACF DB so that no one can easily get to it (except for the operating system and zSecure) -- there has to be justification before a (security) person can directly access any copy of the RACF DB.

(and if you have multiple system images with different RACF DBs, you can get into sending backup copies to other systems, and storing multiple racf db's into DB2, and cross connecting zSecure to talk among the various systems, and RRSF between the systems, and all sorts of other stuff...  Good luck.

------------------------------
Scott Tietjen CISSP
------------------------------

Original Message:
Sent: Fri May 22, 2020 12:02 PM
From: Linnea Sullivan
Subject: UNLOADs

As we are migrating to RACF, our staff is converting our batch processes over so they will run under RACF or zSecure.     So they are replacing the job that creates a TSS CFILE, with one that creates a RACF Unload.  They are going to create a UNLOAD dataset but they are wondering the benefits of a RACF UNLOAD or a zSecure UNLOAD.   Any pointers I can give that team on using one or the other, or both?

Thanks

------------------------------
Linnea Sullivan
------------------------------

Original Message:
Sent: 5/25/2020 4:27:00 AM
From: Scott Tietjen
Subject: RE: UNLOADs

Short answer: Yes.

that is -- you should do both, and even more than that.

1) Backup your RACF Database at least once a day.
2) From the backup, you can create an unload.
3) From the unload, you should be able to load an image of your RACF DB into DB2 -- that allows you to write SPUFI and other SQL queries against things in your database, reports and the like.

Also, if you're using zSecure -- it can work against the RACF DB, but it can also work against copies of the RACF DB, and has its own Unload as well -- each of these have various usages. (and also a Freeze dataset against the rest of your system,).  zSecure can write reports and such in CARLa (did I capitalize that correctly?).  Some reports work better in DB2, others in CARLa.  zSecure also lets you set up "offline" copies of RACF -- where you can simulate executing commands Before you actually run them against the real DB.  (This becomes very helpful if you start collecting Access Manager data.)

The key thing is to make sure that you protect any physical full copies of the RACF DB so that no one can easily get to it (except for the operating system and zSecure) -- there has to be justification before a (security) person can directly access any copy of the RACF DB.

(and if you have multiple system images with different RACF DBs, you can get into sending backup copies to other systems, and storing multiple racf db's into DB2, and cross connecting zSecure to talk among the various systems, and RRSF between the systems, and all sorts of other stuff...  Good luck.

------------------------------
Scott Tietjen CISSP
------------------------------

Original Message:
Sent: Fri May 22, 2020 12:02 PM
From: Linnea Sullivan
Subject: UNLOADs

As we are migrating to RACF, our staff is converting our batch processes over so they will run under RACF or zSecure.     So they are replacing the job that creates a TSS CFILE, with one that creates a RACF Unload.  They are going to create a UNLOAD dataset but they are wondering the benefits of a RACF UNLOAD or a zSecure UNLOAD.   Any pointers I can give that team on using one or the other, or both?

Thanks

------------------------------
Linnea Sullivan
------------------------------

You can find DB2 reporting of RACF profiles (using IRRDBU00) documented here, and printing SMF records (via IRRADU00) documented here.

------------------------------
Rob van Hoboken
------------------------------

Briefly stated:
zSecure can do reporting from an archived copy of your active RACF database, or from the zSecure specific UNLOAD, but not from an UNLOAD created with IRRDBU00.
In the zSecure specific UNLOAD, (encrypted) password and other hidden fields are replaced with ********.
The IRRDBU00 unload can be used for other reporting, such as ICETOOL, but not with zSecure.

------------------------------
Rob van Hoboken
------------------------------

Rob, from the manuals it seems the zSecure UNLOAD process  builds the unload from the Active Primary RACF DB.    I have 3 questions:  #1. Does the CARLA job that builds the zSecure Unload put a hold on the RACF Primary while the job is running?   #2.  Can the unload be built from a backup copy of the RACF DB instead?    #3. Can the unload be built from the zSecure Server?

What would the JCL/Carla look like to use the backup file or zSecure Server as inputs?



​​​

------------------------------
Linnea Sullivan
------------------------------

Original Message:
Sent: Mon May 25, 2020 05:13 AM
From: Rob van Hoboken
Subject: UNLOADs

Briefly stated:
zSecure can do reporting from an archived copy of your active RACF database, or from the zSecure specific UNLOAD, but not from an UNLOAD created with IRRDBU00.
In the zSecure specific UNLOAD, (encrypted) password and other hidden fields are replaced with ********.
The IRRDBU00 unload can be used for other reporting, such as ICETOOL, but not with zSecure.

------------------------------
Rob van Hoboken
------------------------------

The general zSecure database reader currently doesn't issue locks on the RACF database.  Not for reports, not for unloads.  Unless you (try to) add a DD with DISP=OLD, the allocation is always in SHR (non-exclusive) state.
You can do the same things from the primary (ALLOC TYPE=RACF ACTIVE) or the duplex (ALLOC TYPE=RACF BACKUP).
The job to create an unload can be found in CKRJOBS and SCKRSAMP member C2RJPREP.  Basically this allocates the UNLOAD data set to a DD name CKRUNLOU (the U at the end is intentional) and executes:
alloc type=racf active
unload
The UNLOAD command does not work through CKNSERVE.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Tue June 02, 2020 10:06 AM
From: Linnea Sullivan
Subject: UNLOADs

Rob, from the manuals it seems the zSecure UNLOAD process  builds the unload from the Active Primary RACF DB.    I have 3 questions:  #1. Does the CARLA job that builds the zSecure Unload put a hold on the RACF Primary while the job is running?   #2.  Can the unload be built from a backup copy of the RACF DB instead?    #3. Can the unload be built from the zSecure Server?

What would the JCL/Carla look like to use the backup file or zSecure Server as inputs?



​​​

------------------------------
Linnea Sullivan

Original Message:
Sent: Mon May 25, 2020 05:13 AM
From: Rob van Hoboken
Subject: UNLOADs

Briefly stated:
zSecure can do reporting from an archived copy of your active RACF database, or from the zSecure specific UNLOAD, but not from an UNLOAD created with IRRDBU00.
In the zSecure specific UNLOAD, (encrypted) password and other hidden fields are replaced with ********.
The IRRDBU00 unload can be used for other reporting, such as ICETOOL, but not with zSecure.

------------------------------
Rob van Hoboken
------------------------------