S 2.294 Synchronisation of z/OS passwords and RACF commands
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
In large mainframe systems, often many z/OS operating systems and their RACF databases (Resource Access Control Facility) communicate with each other. Often, there is a need to synchronise password changes or RACD commands across several z/OS systems of the cluster.
During password synchronisation, the passwords of the users are synchronised automatically on several z/OS systems so that the user must only use one password.
During RACF command synchronisation, RACF commands can be executed simultaneously on several z/OS systems. The corresponding RACF command is entered into one system and forwarded to all other systems by the central RACF administration. RACF supports this by the RRSF feature (RACF Remote Sharing Facility).
Such systems are also referred to as synchronisation cluster. The following recommendations must be taken into consideration for a synchronisation cluster.
Standardisation
It must be ensured that the design and the rules used of the RACF databases are as identical as possible on all systems of the synchronisation cluster. Before establishing a synchronisation cluster, the standardisation performed should be as comprehensive as possible (see S 2.285 Determining standards for z/OS system definitions).
Disabling a user ID
During password synchronisation, it must be prevented that the blocking (revoke) of a user ID after several erroneous password inputs is forwarded to all other systems of the synchronisation cluster. Otherwise, the user would be blocked in all systems. Unblocking (resume) can be transmitted as often as necessary.
Forwarding RACF commands
RACF command synchronisation must be performed with the utmost care because erroneous RACF commands resulting in undesired changes are immediately executed on all systems of the synchronisation cluster. Therefore, it should be considered to exclude particularly security-critical RACF commands which can impair the stability of the connected systems from synchronisation.
Securing the administration function
The interface to the administration function of the synchronisation program (often an ISPF interface - Interactive System Productivity Facility) must only be available to authorised employees within the framework of their work.
Damage containment by dividing the cluster
In order to contain the potential damage during RACF command synchronisation, it must be considered to divide one large synchronisation cluster into two or more small sub-clusters.
The execution of erroneous, security-critical RACF commands may be limited to the respective sub-cluster this way. Thus, total failure of all systems attributable to erroneous RACF commands may be prevented.
It must be possible to connect the hard disks of the systems of the sub-cluster required for operation to the systems of another sub-cluster. This way, data important for operation of a failed sub-cluster, e.g. the RACF database, can be restored at least partially.
The division of one large synchronisation cluster into several small sub-clusters increases the administration effort required since every sub-cluster must be administered separately.
Review questions:
- Is the standardisation performed before establishing a synchronisation cluster in z/OS as comprehensive as possible so that the design and the applied rules of the RACF database are as identical as possible on all systems of the synchronisation cluster?
- Has password synchronisation been established in such a way that the blocking (revoke) of a user ID after several erroneous password inputs is not forwarded to all other systems of the synchronisation cluster?
- Has it been ensured that the interface of the synchronisation program's administration function for z/OS systems is only available to authorised employees within the framework of their work?