IBM Security Z Security

 View Only
  • 1.  CARLA reports on AS_DD do not always resolve RACF_PROFILE

    Posted Fri January 20, 2023 06:19 AM
    I have developed a number of compliance reports in CARLA that uses the AS_DD type to assess the RACF protection of e.g. DB2 log datasets.
    My experience is that in some cases, the RACF_PROFILE field - and hence also a number of deducted fields - are not resolved.

    The input for the reports is a RACF unload and a number of CKFREEZE files - one per lpar in the sysplex.
    The result may vary from time to time. In some cases, the RACF_PROFILE is always resolved, yet in other cases it may be missing on records from one or more of the lpars. If I generate the same report on only one CKFREEZE file, the RACF_PROFILE is always resolved.

    Has anyone had similar experiences with AS_DD or similar types (e.g. DSN) where a RACF profile name is resolved from a resource name?
    Or maybe even a suggested solution?

    ------------------------------
    Mikael Rasmussen
    Senior Mainframe Security Engineer
    Danske Bank
    Brabrand
    +4540766221
    ------------------------------


  • 2.  RE: CARLA reports on AS_DD do not always resolve RACF_PROFILE

    Posted Fri January 20, 2023 06:39 AM

    Hi Mikael,

    From the way you describe it--sometimes the same report works and sometimes it doesn't--it rather sounds like a bug. In that case, probably opening a Case and providing details will give us a better chance of troubleshooting what is going on.

    I can confirm that if no profile is found for RACF_PROFILE, RACF_AUDITF, RACF_AUDITS, RACF_IDSTAR_ACCESS, RACF_UACC, RACF_WARN_ONLY, RACF_CLASS, and RACF_PROFTYPE will also be missing.

    I take it that the LPARs all belong to the one database. Does the CKR0615 message in SYSPRINT indeed show you that the engine believes you have a single COMPLEX?

    Regards,



    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 3.  RE: CARLA reports on AS_DD do not always resolve RACF_PROFILE

    IBM Champion
    Posted Mon January 23, 2023 03:24 AM
    Old versions of zSecure would not resolve the RACF_PROFILE field (and all fields depending on the profile) when the VTOC information (with the INDICATED bit) was not collected in CKFREEZE, and therefor zSecure was unwilling to find the generic profile for the dsname.  This could also happen if the VTOC info was collected, but much later on in the CKFREEZE.  The zSecure version may be relevant in your report.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 4.  RE: CARLA reports on AS_DD do not always resolve RACF_PROFILE

    Posted Mon January 23, 2023 08:30 AM

    We are now running version 2.5.0 of all zSecure products.
    I do believe though, that I have seen the same misbehavior on version 2.4.0 as well.

    CKR0615 does appear, and I interpret it in the way that it perceives my input as a single sysplex (Complex only appears on the first line). 
    It appears arbitrary to me - even though I know that nothing in IT is truly arbitrary, not even random functions.

    The odd thing about this is that we have two sysplex´es with more or less the same setup. On one of them I see the error and on the other I don´t.

    If there are no obvious explanations, what would be the appropriate information in a PMR?



    ------------------------------
    Mikael Rasmussen
    Senior Mainframe Security Engineer
    Danske Bank
    Brabrand
    +4540766221
    ------------------------------



  • 5.  RE: CARLA reports on AS_DD do not always resolve RACF_PROFILE

    Posted Tue January 24, 2023 06:24 AM

    Hi Mikael,

    After some consideration I think your observation might be a match to APAR OA61474, which development seeks to resolve in a future edition of the product.

    This APAR is nominally about RACF_PROFILE not being filled in for TYPE=RESOURCE, but I believe this effect might also extend to TYPE=AS_DD. It is clearly about a failure in correctly analyzing a shared DASD configuration.

    The level of detail in your description is insufficient to determine if the cause is the same, but it is also rather unlikely we would get very far there without spending a lot of time with looking at what happens with the complete CKFREEZE files etc., which might be more than you would like to share, and more work for us to analyze than we would be particularly charmed with, too. So I am not sure if you will find it worth opening an additional Case at this time.

    Regards,

    --Jeroen

    P.S. The term "Problem Management Record" was tied to a prior tool we moved away from a few years ago, so I avoid using it now.



    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------