IBM Security Z Security

 View Only

  • 1.  zSecure UNLOAD integrity question

    Posted Wed April 17, 2024 12:42 PM

    Hello,

     

    I have searched the zSecure documentation and have not been able to locate an answer to my question.  I'm hoping that someone on the list can help.

     

    zSecure allows for the UNLOAD of the RACF database.  Does the zSecure UNLOAD process serialize the database akin to an IRRUT200 copy?  My concern is a fuzzy copy of dataset or general resource profiles, for example, if such up update is in-flight when the zSecure UNLOAD occurs.

     

    Regards,

     

    ----

     

    Robyn E Gilchrist

    Senior RACF and ACF2 Consultant

    RSH Consulting, Inc.

    617-977-9090

    www.linkedin.com/in/robyn-e-gilchrist

    www.rshconsulting.com

    ---------------------------------------------------------------------------

    Upcoming RSH RACF Training - WebEx

    - RACF Level I Administration - APR 22-26, 2024

    - RACF Level II Administration - NOV 4-8, 2024

    - RACF Level III Admin, Audit, & Compliance - DEC 9-13, 2024

    - RACF - Securing z/OS UNIX  - SEPT 23-27, 2024

    - zSecure Admin - Basic Administration - May 7-10, 2024

    ---------------------------------------------------------------------------

     



  • 2.  RE: zSecure UNLOAD integrity question

    Posted 30 days ago

    It is impossible to synchronize with RACF from a non-APF run. Typically if a RACF update happens to the very profile we are processing, you get a severity 20 message (for instance CKR0027 or CKR0029) which has as "User action" that you should just try again. and only take other action if it persists. However for an APF run we could in principle do something about it.

    Ideas have been formulated by various of our customers to make sure the unload is serialized to prevent this from happening (ZALERT-I-18. ZALERT-I-53, ZSECURE-I-136). It definitely is on our to-do list, but always seems to get prioritized below other urgent compliance stuff.

    That being said, the frequency of it happening has been greatly reduced due to customers no longer maintaining tape VTOCs, which were the prime contributor to RACF db update frequency. Do you see any reason / upcoming scenario for it to be on the increase again?

    For today, you could at least equip your own nightly JCL with an extra IRRUT200 step.



    ------------------------------
    Hans Schoone
    Chief Architect zSecure
    IBM - zSecure architect
    Delft
    ------------------------------

    Original Message


  • 3.  RE: zSecure UNLOAD integrity question

    Posted 30 days ago

    Hi Hans,

    Thank you for the detailed answer.  There is no specific scenario that I was inquiring about and I have not observed CC=20 in an UNLOAD job, but now I know why I could see one.

    regards,



    ------------------------------
    Robyn Gilchrist
    ------------------------------

    Original Message