IBM Security Z Security

Expand all | Collapse all

UNLOADs

  • 1.  UNLOADs

    Posted 7 days ago
    As we are migrating to RACF, our staff is converting our batch processes over so they will run under RACF or zSecure.     So they are replacing the job that creates a TSS CFILE, with one that creates a RACF Unload.  They are going to create a UNLOAD dataset but they are wondering the benefits of a RACF UNLOAD or a zSecure UNLOAD.   Any pointers I can give that team on using one or the other, or both?

    Thanks

    ------------------------------
    Linnea Sullivan
    ------------------------------


  • 2.  RE: UNLOADs

    Posted 4 days ago
    Short answer: Yes.

    that is -- you should do both, and even more than that.

    1) Backup your RACF Database at least once a day.
    2) From the backup, you can create an unload.
    3) From the unload, you should be able to load an image of your RACF DB into DB2 -- that allows you to write SPUFI and other SQL queries against things in your database, reports and the like.

    Also, if you're using zSecure -- it can work against the RACF DB, but it can also work against copies of the RACF DB, and has its own Unload as well -- each of these have various usages. (and also a Freeze dataset against the rest of your system,).  zSecure can write reports and such in CARLa (did I capitalize that correctly?).  Some reports work better in DB2, others in CARLa.  zSecure also lets you set up "offline" copies of RACF -- where you can simulate executing commands Before you actually run them against the real DB.  (This becomes very helpful if you start collecting Access Manager data.)

    The key thing is to make sure that you protect any physical full copies of the RACF DB so that no one can easily get to it (except for the operating system and zSecure) -- there has to be justification before a (security) person can directly access any copy of the RACF DB.

    (and if you have multiple system images with different RACF DBs, you can get into sending backup copies to other systems, and storing multiple racf db's into DB2, and cross connecting zSecure to talk among the various systems, and RRSF between the systems, and all sorts of other stuff...  Good luck.

    ------------------------------
    Scott Tietjen CISSP
    ------------------------------



  • 3.  RE: UNLOADs

    Posted 4 days ago
    Hello Scott,
    in your answer regarding UNLOADs you wrote:
    3) From the unload, you should be able to load an image of your RACF DB into DB2 -- that allows you to write SPUFI and other SQL queries against things in your database, reports and the like.
    Can you "show me" how to do that or where I can found some docs "how to do"?

    Thanks


    Best regards, freundliche Grüße, meilleures salutations, saludos cordiales

    Rachid Bachir KEBBI
    IT-Administration - Authorization



    C&A Services GmbH & Co. OHG | Wanheimer Str. 70 | D-40468 Duesseldorf  | Germany
    T 5560 | bachir.kebbi@canda.com

    Visit us on www.c-a.com or www.facebook.com/ca

    Please consider the environmental impact of needlessly printing this e-mail.
       






  • 4.  RE: UNLOADs

    Posted 4 days ago
    Edited by Rob van Hoboken 4 days ago
    You can find DB2 reporting of RACF profiles (using IRRDBU00) documented here, and printing SMF records (via IRRADU00) documented here.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 5.  RE: UNLOADs

    Posted 4 days ago
    Edited by Rob van Hoboken 4 days ago
    Briefly stated:
    zSecure can do reporting from an archived copy of your active RACF database, or from the zSecure specific UNLOAD, but not from an UNLOAD created with IRRDBU00.
    In the zSecure specific UNLOAD, (encrypted) password and other hidden fields are replaced with ********.
    The IRRDBU00 unload can be used for other reporting, such as ICETOOL, but not with zSecure.

    ------------------------------
    Rob van Hoboken
    ------------------------------