RACF checking for remote connections

Martin Kenney

RACF checking for remote connections
We are running DB2V7 and have created TSO userids to control access to the
different internet applications. These user ids are set up to have their
passwords never expire. The midrange system verifies a user can access an
application on their end, if they can the call to DB2 on the mainframe uses
the TSO id given to that application.
We were just audited (SAS70) and they questioned why we have TSO userids
showing up as never used.
The userid and password are verified, but the RACFINIT information is not
reset when the connection is made.

Is there any way to have the connection (DB2 connect) update RACF with the
sign on date/time when the connection is made?

Thanks.

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Roger Miller

Re: RACF checking for remote connections
(in response to Martin Kenney)
The work is done with SAF or RACROUTE, so you can use that structure to
make the changes you need. Here are the z/OS 1.6 books for RACF
http://www.ibm.com/servers/eserver/zseries/zos/bkserv/r6pdf/secserv.html
You may want to check on the performance of this change, or test if
the update has been done recently (e.g. within a few seconds) and avoid
the update if so.

Roger Miller

On Mon, 10 Jan 2005 13:18:11 -0600, Marty Kenney
<[login to unmask email]> wrote:

>We are running DB2V7 and have created TSO userids to control access to the
>different internet applications. These user ids are set up to have their
>passwords never expire. The midrange system verifies a user can access an
>application on their end, if they can the call to DB2 on the mainframe
uses
>the TSO id given to that application.
>We were just audited (SAS70) and they questioned why we have TSO userids
>showing up as never used.
>The userid and password are verified, but the RACFINIT information is not
>reset when the connection is made.
>
>Is there any way to have the connection (DB2 connect) update RACF with the
>sign on date/time when the connection is made?
>
>Thanks.
>

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Martin Kenney

Re: RACF checking for remote connections
(in response to Roger Miller)
Roger, thank you for the link.

Come to find out, we have no problem after all. The RACINIT is being
updated properly. Our auditors were using Vanguard against the same RACF
extract file that was created for them a year ago (not the current
extract) which was within one week of us creating the userids for our
midrange applications. So to them it 'appeared' that either these ids
were not being used (which we new they were) or RACF was not being
updated when they connected to the mainframe.

I learned two VERY valuable lesions here.
1) Never assume (I know, I know) the auditors know what they are doing.
2) Verify if there really is a problem before posting here and wasting
people's time.


Thanks again!

Marty Kenney
Sr. DB2 DBA
Railinc
(919) 651-5211


-----Original Message-----
From: DB2 Data Base Discussion List [mailto:[login to unmask email] On
Behalf Of Roger Miller
Sent: Tuesday, January 11, 2005 4:17 PM
To: [login to unmask email]
Subject: Re: [DB2-L] RACF checking for remote connections

The work is done with SAF or RACROUTE, so you can use that structure to
make the changes you need. Here are the z/OS 1.6 books for RACF
http://www.ibm.com/servers/eserver/zseries/zos/bkserv/r6pdf/secserv.html
You may want to check on the performance of this change, or test if
the update has been done recently (e.g. within a few seconds) and avoid
the update if so.

Roger Miller

On Mon, 10 Jan 2005 13:18:11 -0600, Marty Kenney
<[login to unmask email]> wrote:

>We are running DB2V7 and have created TSO userids to control access to
the
>different internet applications. These user ids are set up to have
their
>passwords never expire. The midrange system verifies a user can access
an
>application on their end, if they can the call to DB2 on the mainframe
uses
>the TSO id given to that application.
>We were just audited (SAS70) and they questioned why we have TSO
userids
>showing up as never used.
>The userid and password are verified, but the RACFINIT information is
not
>reset when the connection is made.
>
>Is there any way to have the connection (DB2 connect) update RACF with
the
>sign on date/time when the connection is made?
>
>Thanks.
>

------------------------------------------------------------------------
---------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and
home page at http://www.idugdb2-l.org/archives/db2-l.html. From that
page select "Join or Leave the list". The IDUG DB2-L FAQ is at
http://www.idugdb2-l.org. The IDUG List Admins can be reached at
[login to unmask email] Find out the latest on IDUG conferences
at http://conferences.idug.org/index.cfm

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm