Vous êtes sur la page 1sur 4

Author Names and ID

RACF to UniKix Secure


Migration
PROBLEM STATEMENT
RACF is a product widely used to protect resources on IBM mainframe’s Z/OS systems.

xxxx has a competitive advantage over others when it comes to rehosting mainframe
applications on Open systems. Hence it is important to understand the security aspects on
the mainframe environment provided by RACF.

With the amount of resources secured on RACF, it is necessary to analyze the RACF
internals and map the same to UniKix Secure product as applicable.

First time that data from RACF was migrated to UniKix Secure.
UniKix Secure Architecture / Migration Process
Relationships UniKix Secure
Interfaces
Region 1 Region 2
Permission Transaction Security Transaction
Roles / Groups Resource Domains Server
s Server Server
Runtime
Permission
support
s

Users / Principals Resources


Log Security
Audit Log
Security
Repositor
y
Runtime
Support
– Unload RACF database Administratio
n Tools
• IRRDBU00 – Create sequential file from RACF database.

– Analysis of various RACF record types unloaded RACF database


• Group Profile, User Profile, Dataset profile & Resource profile.
• Each Profile has many record types from which necessary ones to be selected.
Mapping & Migration.

– Mapping of Secure product with RACF record database.


Principal Name USBD_NAME - User name from 0205/0200 Group name GPBD_NAME from 0100
Description GPBD_INSTALL_DATA from 0100
Password A common password will be setup for each user for the first
login. The user must change the password on first login.
Define new domains for VSAM datasets or GRACC_NAME
Account exp. Date Yyyy-mm-dd - USBD_REVOKE_DATE from 0200 Resource Domain
from 0505
p/w max days USBD_PWD_INTERVAL from 0200 Description GRBD_INSTALL_DATA from 0500 record type.

p/w min days No field in RACF mapping to this detail in Secure. So we can Resource Type There are pre-defined set of resource types for UniKix Secure
have a common value for this field. which we can use after analyzing the resource.
Suspension Resource Name GRMEM_MEMBER from 0503 record type for generic
USBD_REVOKE from 0200. If User is not revoked then this resources or Define new resources for VSAM datasets.
(T|F|M) value will be set to ‘M’ for all active users.
Description GRBD_INSTALL_DATA from 0500 or Manually provide a
Description USBD_INSTALL_DATA from 0200, if any. default description based on resources type.

• Add permissions to resource domain for each group or principal


• Set hierarchy within group (parent group)
• Set hierarchy within resource domains (parent resource domain).

– Migration of RACF database to UniKix Secure using the above mappings.


• The repository is an RDBMS or an LDAP directory.
• Generate the loadfile automatically which then populates the repository.
Key Achievements / Next Steps
– POC was done for certain set of transactions identified by the customer for
which the load file was generated manually based on the above approach.
– Currently; the tool, to automatically generate the loadfile, is in beta version
and is in testing stage.
– Not all of the RACF record types have been analyzed and mapped to
UniKix Secure.
– RACF is used to control access to:
• The z/OS system and Many of its subsystems and applications.
• Terminals, MVS and JES consoles
• Data, Load modules
• IMS/CICS transactions, files etc, Installation defined resources.

– The ultimate state is to be able to generate a loadfile which would help


secure all of the above resources from RACF; Re-hosted from mainframe
to UniKix TPE regions.

Vous aimerez peut-être aussi