book

RACF Remote Sharing Facility over TCP/IP

by Karan Singh, Rama Ayyar, Mike Onghena, Phil Peters, Arunkumar Ramachandran, Philippe Richard, Roland Schwahn

August 2012

Intermediate to advanced

168 pages

5h 36m

English

IBM Redbooks

Read now

Unlock full access

Notices
Trademarks
Preface
The team who wrote this book
Now you can become a published author, too!
Comments welcome
Stay connected to IBM Redbooks
Chapter 1: Introduction
RRSF network
RRSF nodesRRSF modes of operation
Multi-system node and single-system node
User ID association
Peer user ID associationManaged user ID association
RRSF components

RRSF functions
Password synchronizationCommand directionAutomatic password direction
Automatic command direct
How RRSF operates
RRSF over TCP/IP
Defining and controlling RRSF environmentSET command
TARGET command
RRSFDATA class
RRSF setup overview
Chapter 2: Planning
Implementing RRSF using TCP/IP
Original configurationNodes and systems
RRSF configuration
RRSF functions
Comparing original environments
Workspace data sets
Network considerations
Converting from APPC to TCP/IP
Original APPC protocol configuration
Earlier systems
RACF parameter library IRROPTxxWorkspace data sets
Network considerations
Chapter 3: Configuring RRSF for TCP/IP
Overview of AT-TLS
Setting up the PAGENT-started task
Setting up the PAGENT started task procedure
Defining the necessary RACF profiles for PAGENT
Restricting access to the pasearch command
Set up TTLS Stack Initialization access control
Verifying the PAGENT setup
Configuring AT-TLS policy for RRSF server and client
Identifying the traffic that you need to protect
Authenticating the remote RRSF node
Encrypting the data across the TCP/IP connection
Coding the policy
Creating digital certificates and key rings
Implementing an RRSF trust policyDigital certificates
Using the same, self-signed certificate for all RRSF nodes
Using an internal CA to sign a server certificate for each RRSF node (1/4)
Using an internal CA to sign a server certificate for each RRSF node (2/4)
Using an internal CA to sign a server certificate for each RRSF node (3/4)
Using an internal CA to sign a server certificate for each RRSF node (4/4)
Using an external CA to sign a server certificate for each RRSF node
Updating TCP/IP to enable RRSF
Enabling AT-TLSDefining and protecting RRSF port 18136
Updating necessary RACF profiles
Adding an OMVS segment to RACF subsystem user ID
Enabling CSFSERV resources
Protecting the TCP/IP stack
Verifying the RRSF setup
Activating and verifying AT-TLS
Stopping RACF on all systems
Starting RACF on all systems without defining any RRSF nodes
Defining the RRSF node on local main system SC75 in PLEX75
Defining the RRSF node on local system SC74 in PLEX75
Defining the RRSF node on local system SC76 in PLEX76
Defining the remote node to SC75
Defining the remote node to SC74
Defining the remote node to SC76
Displaying the RRSF status on every system
Chapter 4: Converting APPC connections to TCP connections
Sample configuration
Protocol conversion overview
Protocol conversion process
Sample configuration IRROPTxx files
A simple protocol conversion
Target command changes
Protocol conversion and the local node
Multi-System Node considerationsOrder of protocol definition
Workspace data set considerations
Information required before protocol conversion
IRROPTxx considerations
Conversion of the sample configuration
Preliminary setup
Updating local node definitions to support TCP in addition to APPC
Converting communications between PLEX75 and PLEX76 from APPC to TCP
Earlier system considerations
Adding TCP to local node definition
Converting remote nodes
Execution of shared IRROPTxx file on current and earlier systems
Conversion of communications between MSN PLEX75 and MSN PLEX81
Chapter 5: Operations
Administration
SET command
TARGET commands (nodes)
IP addresses and ports
PAGENT and Certificates: AT-TLS
RESTART command
RRSFDATA resourcesRRSFDATA RESOURCES related to AUTODIRECT
CLAUTH
FIELD level access
RRSF Considerations for Automatic ID AssignmentSETROPTS and SYSPLEX COMMUNICATION
Revoked IDs or IDs revoked at different nodes
Certificates and certificate renewal
Renewing an expiring RRSF server certificate issued by a local CA
Renewing an expired RRSF server certificate
RRSF remote node server certificate expired
Renewing (rekeying) a certificate with a new private key
Considerations for CA certificate management
Renewing a local CERTAUTH certificate
Renewing an expired CERTAUTH certificate
Diagnosing RRSF problems
Error messages from components
Obtaining information about RRSF connections
z/OS UNIX System Services errors
TCP/IP errors
AT-TLS errors
Secure Sockets Layer (SSL)
RACF errors
PAGENT errors
RRSF errors
Useful commands for problem diagnosis
Maintenance and recovery: RRSF data sets
RRSFLIST data sets
Moving/resizing/renaming the RRSF workspace data sets
INMSG and OUTMSG data set names
Related publications
IBM RedbooksOther publicationsHelp from IBM
Index
Back cover

Content preview from RACF Remote Sharing Facility over TCP/IP

136 RACF Remote Sharing Facility over TCP/IP

 Verify that a certificate has not expired.

 Verify that the key type associated with the certificate is not valid for the cipher algorithm

requested in the policy.

 If the certificate private key is stored in the ICSF PKDS, verify that ICSF is started when

RRSF connections were attempted.

 Verify that both systems have the same policy statements for RRSF, both for the client and

server portions of the policy.

 Make sure that ICSF starts earlier in the IPL sequence that the PAGENT.

5.6.6 Secure Sockets Layer (SSL)

The SSL errors are likely caused by an error in the certificates. You get an SSL error ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

IBM z/OS V2R1 Communications Server TCP/IP Implementation Volume 4: Security and Policy-Based Networking

Publisher Resources

ISBN: 0738437050Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

RACF Remote Sharing Facility over TCP/IP

by Karan Singh, Rama Ayyar, Mike Onghena, Phil Peters, Arunkumar Ramachandran, Philippe Richard, Roland Schwahn

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.