The RACF program directory contains instructions on how to install RACF. In general, the procedure for installing RACF Release 7 when you have not had a previous RACF release installed consists of the following:
I. Install the RACF modules.
Install RACF on a copy of your operating system for testing. You cannot test the RACF system until the entire installation procedure is complete and RACF is activated by an IPL.
2. Allocate, catalog, and format a RACF data set.
RACF provides programs to format RACF data sets. See "RACF Data Set Initialization Program (ICHMINOO)" and "The RACF Data Set
Split/Merge/Extend Utility Program (ICHUT400)" in Chapter 6 for a description of the programs, the requirements for running the programs, and the contents of the RACF data sets after being formatted.
3. Create a data set name table or alter the MSTRJCL (optional).
You can define the RACF data set by creating a RACF data set name table (ICHRDSNT). For multiple RACF data sets, modify the IBM-provided range table (ICHRRNG) and use it in conjunction with the data set name table.
As an alternative, you can define the RACF data set using MSTRJCL.
However, by using the data set name table and the range table, you avoid having to update the MSTRJCL and you centralize control over RACF. See
"Creating Multiple RACF Data Sets" later in this chapter.
4. Update TSO APF-authorized command and program tables.
Update the TSO APF-authorized command table in SYSI.LPALIB with the APF-authorized RACF commands and update the APF-authorized program table with the names of the RACF programs. See the information on authorized program execution in System Programming Library: TSO.
5. Update the RACF class descriptor table and the RACF router table (optional).
With the exception of DATASET, GROUP, and USER classes, all resource classes are represented in a class descriptor table (CDT) in two load modules
ICHRRCDE and ICHRRCDX. ICHRRCDE is optional and contains installation-defined resource classes while ICHRRCDX contains IBM entries.
See "General Resource Classes" and "Class Descriptor Table," in Chapter 5 for information on the class descriptor table.
You should code an ICHRFRTB macro instruction for each entry added to the class descriptor table that will be accessed by the RACROUTE macro instruction. The ICHRFRTB macro generates entries in the optional installation-defined RACF router table, ICHRFROl. This table controls the action taken by the RACF router when it is invoked by the RACROUTE macro instruction. See "Router Table Entry Definition" in Chapter 5 for information on the RACF router table.
6. Create a started procedures table (optional).
If you identify resources to be protected by RACF that are also accessed by started procedures, you must determine if changes are required for the started procedures replaceable module (ICHRIN03) that is part of the RACF
program product. See Chapter 5 "RACF Options" for information on when entries are needed in the started procedures module and how to code the module.
The started procedures table is a discrete load module. Within it, you can indicate that selected started procedures are to be considered as privileged, meaning that all RACHECKs are accepted unconditionally. In addition, the table may include a generic entry.
7. Create exit routines and/or a naming convention table.
You can write exit routines for user transparency and for modifying your installation's RACF security measures. See "RACF Installation Exits."
You can set up and enforce data set naming conventions that are different from the standard RACF naming conventions by using a naming convention table (ICHNCVOO). For information on how to code the table, see "Naming Convention Table" in Chapter 7 and "ICHNCONV Macro" in Chapter 10.
8. Change the parmlib FIX list (optional).
To ensure good IMS/CICS performance, several of the RACF load modules must reside in fixed LP A. A sample IEAFxx member is provided in member RACINSTL in SYSl.SAMPLIB. See "RACF Virtual Storage Requirements"
in Chapter 9 for detailed information. Either create or alter the IEAFIXxx list in SYSl.PARMLIB (see Initialization and Tuning) or use the DATASET macro at SYSGEN time.
Chapter 1. Installing RACF
1-5
9. Install the RACF ISPF panels (optional).
This procedure is optional depending on whether you have ISPF Version 1 (program number 5668-960) or later and intend to use the panels. To use the RACF ISPF panels, perform the following steps:
• Optionally copy RACF ISPF panel driver load module ICHSPFOO (including any aliases) from LINKLIB to LPALIB for improved performance.
• Concatenate the ISPF RACF panel libraries to the appropriate ISPF filenames in your TSO logon procedures. You must concatenate the following libraries:
RACF ISPF library SYSl.HRFPANL to the ISPF library associated with file name ISPPLIB
SYSl.HRFSKEL to ISPSLIB SYSI.HRFMSG to ISPMLIB SYS1.HRFCLST to SYSPROC.
• Modify an existing ISPF panel (the utility selection menu, ISRUTIL, is recommended) to provide entry into the RACF selection menu. If your installation uses the TSO session manager and you want your users to have the option of either using the session manager or the new scrollable table support, use panel ICHPOOSM. If you do not want your users to use the session manager, use panel ICHPOO.
• If your installation does not have ISPF /PDF (Interactive System Productivity Facility/Program Development Facility, program number 5665-268) installed, you should modify panel ICHPI92, as documented in the panel itself, to make use of the TSO editing facilities. You should also modify panel ICHH192 (the help panel) to say TSO edit instead of PDF edit.
10. IPL.
The last step of the installation procedure is to IPL your system with the create link pack area (CLPA) parameter to initialize the system with RACF and to define the first basic profiles on each RACF data set.
The IPL will do the following:
• Define the RACF SVC entry points.
• Load the pageable link pack area (PLP A) with the RACF code and TSO tables. This action is the the result of specifying the CLPA parameter.
• Allow the master scheduler initialization exit routine to initialize the RACF control blocks (for example, the RCVT).
Other System Considerations
• Set the RACF options (for example, disallowing duplicate data set names).
• Write a record (type 81) to the SMF data set indicating the completion of RACF initialization.
• Define the following basic profiles on the new RACF data set:
IBMUSER (user profile)
SYSl, VSAMDSET, and SYSCTLG (group profiles, where VSAMDSET and and SYSCTLG are subgroups of SYS1) Three connect profiles connecting IBMUSER to the three groups During IPL, if the RACF data set cannot be found in the data set name table or in MSTRJCL, (that is, if the data set name table has not been created, or contains an
*
for the data set name, or the RACF data set is not cataloged), the system prompts the operator for a RACF data set name. The operator can respond with the correct name or with 'NONE'.• If the operator specifies 'NONE' for all the RACF data sets, RACF is not active for this IPL. The effect is the same as bypassing RACF initialization processing by using the option in ICHSECOP.
• If the operator specifies 'NONE' during the first IPL after a RACF system has been installed, the basic profiles are not defined to RACF.
They are defined during the first IPL with RACF active.
If you plan to make some of the changes listed below, make the changes before you define your users, groups, and resources to RACF:
• Add TSO profiles to the UADS data set for any new TSO users with the ADD subcommand of the TSO ACCOUNT command (see System Programming Library: TSO).
• Update the SYS1.HELP data set with the RACF commands member, using the IEBUPDTE system utility or the TSO EDIT command. See Utilities or TSO Command Language Reference.
• Assign a specific console to receive system security messages (message routing code = 9), using the VARY console command. See System Commands.
Chapter 1. Installing RACF