RACF (Resource Access Control Facility) é um produto de segurança desenvolvido pela IBM para sistemas mainframe, que é utilizado para controlar o acesso a recursos de computador. O RACF faz parte do z/OS, o sistema operacional da IBM para mainframes. o RACF é uma ferramenta essencial para organizações que utilizam mainframes da IBM, proporcionando um controle robusto e eficiente sobre quem pode acessar quais recursos dentro do ambiente mainframe, ao mesmo tempo em que oferece recursos avançados de auditoria e administração de segurança.
Vamos pesquisar o usuário AAFBXXXX
Enter
Resultado - para avançar tecle PF8
Opção 3 + usuário que queremos deletar
Confirmando
Deletado - ao pesquisar - opção 8
Enter
Usuário não existe mais
Se ao deletar o usuário der essa mensagem de erro - significa que o RACF não pode deletar pois o usuário esta com profiles de dataset criadas, e por isso ele não pode deletar
Vamos acessar a opção P.6 - para dar comandos
Vamos dar os comandos para deletar o dataset de profile e deletar o usuário direto
Comandos que vamos dar - com esses comandos conseguimos deletar o dataset do usuário e deletar o usuário
Opção 1 ADD - TSSUSER
Depois disso, você terá a oportunidade de fornecer mais informações sobre o usuário, como nome de usuário, grupo padrão e senha (A senha inicial colocamos SYS1 e confirmamos).
Só colocamos YES essas opções
Marcamos a opção - / TSO PARAMETERS
Colocamos essas padrões
Feito
Tecle PF3 para sair - Nosso trabalho aqui está quase concluído, mas não agora. Após salvar o trabalho anterior, precisamos voltar ao painel principal do RACF. Quando voltarmos ao painel principal precisamos abrir o painel "GROUP PROFILES AND USER-TO-GROUP CONNECTIONS" opção 3
Neste painel você pode criar, alterar, conectar ou até mesmo remover um grupo do z/OS. Queremos conectar os novos usuários do TSO aos seus grupos de sistemas específicos.
O primeiro grupo é denominado "sys1", o segundo é denominado "sysctlg" e o último é "vsamdset". Para realmente adicionar o novo usuário TSO, você precisa seguir estas etapas: Grupo SYS1
Vamos colocar essas configurações
Colocamos essas opções
Feito
Isso foi para o grupo “ sys1 ”, repita os passos anteriores para os outros dois grupos. Depois de seguir as etapas agora, o novo usuário do TSO está quase pronto para usar, mas precisamos fazer apenas uma coisa:
Depois de abrir a linha de comando no z/OS, você precisará colar esses comandos um após um. Você pode simplesmente digitá-lo e clicar em Enter.
Executados com sucesso
Após este ponto, o novo usuário TSO está totalmente concluído e funciona completamente. Agora a última coisa a fazer é testar o usuário e tentar fazer o login:
Vamos logar com o nosso novo usuário
Então você pode ver que me diz "CURRENT PASSWORD HAS EXPIRED - PLEASE ENTER NEW PASSWORD" Então neste caso basta digitar uma nova senha para o usuário “TSSUSER”.
Então você pode ver que me diz "IKJ56447A Reenter the new password in the NEW PASSWORD field for verification". Então neste caso basta digitar uma nova senha para o usuário “TSSUSER”. Após inserir novamente a nova senha:
Acessamos
Acessamos
Acessamos
Mapa
P.6
Resultado
Resultado
Display de Usuário
Vamos dar um display de um usuárioRACF - SERVICES OPTION MENU SELECT ONE OF THE FOLLOWING: 1 DATA SET PROFILES 2 GENERAL RESOURCE PROFILES 3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS 4 USER PROFILES AND YOUR OWN PASSWORD 5 SYSTEM OPTIONS 6 REMOTE SHARING FACILITY 7 DIGITAL CERTIFICATES AND KEY RINGS 99 EXIT Licensed Materials - Property of IBM 5647-A01 (C) Copyright IBM Corp. 1983, 2000 All Rights Reserved - U.S. Government Users OPTION ===> 4 F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Vamos pesquisar o usuário AAFBXXXX
RACF - USER PROFILE SERVICES PROFILE(S) FOUND SELECT ONE OF THE FOLLOWING: 1 ADD Add a user profile 2 CHANGE Change a user profile 3 DELETE Delete a user profile 4 PASSWORD Change your own password and related information 5 AUDIT Monitor user activity (Auditors only) D or 8 DISPLAY Display profile contents S or 9 SEARCH Search the RACF data base for profiles ENTER THE FOLLOWING INFORMATION: USER ===> AAFBXXXX Userid OPTION ===> 8 F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Enter
RACF - DISPLAY FOR USER PROFILE COMMAND ===> To select the following options, enter any character. _ TSO _ NETVIEW _ DFP _ DCE _ OPERPARM _ OVM _ CICS _ LNOTES _ NATIONAL LANGUAGE _ NDS _ WORK ATTRIBUTES _ KERBEROS _ LDAP PROXY _ OMVS _ EIM _ Exclude basic RACF information F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Resultado - para avançar tecle PF8
BROWSE - RACF COMMAND OUTPUT------------------------ LINE 00000000 COL 001 080 ********************************* Top of Data ********************************** USER=AAFBKKKK NAME=UNKNOWN OWNER=DPTSUP CREATED=24.131 DEFAULT-GROUP=DPTSUP PASSDATE=00.000 PASS-INTERVAL= 30 PHRASEDATE=N/A ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE LAST-ACCESS=UNKNOWN CLASS AUTHORIZATIONS=NONE INSTALLATION-DATA=USUARIO RPC DETRAN BCO 240 NO-MODEL-NAME LOGON ALLOWED (DAYS) (TIME) --------------------------------------------- ANYDAY ANYTIME GROUP=DPTSUP AUTH=USE CONNECT-OWNER=DPTSUP CONNECT-DATE=24.131 CONNECTS= 00 UACC=NONE LAST-CONNECT=UNKNOWN CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE GROUP=PRFAEA1 AUTH=USE CONNECT-OWNER=PRFAEA1 CONNECT-DATE=24.131 CONNECTS= 00 UACC=NONE LAST-CONNECT=UNKNOWN CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE GROUP=PRFAPPC AUTH=USE CONNECT-OWNER=PRFAPPC CONNECT-DATE=24.131 CONNECTS= 00 UACC=NONE LAST-CONNECT=UNKNOWN CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE GROUP=APPC AUTH=USE CONNECT-OWNER=APPC CONNECT-DATE=24.134 CONNECTS= 00 UACC=NONE LAST-CONNECT=UNKNOWN CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE GROUP=AEA1 AUTH=USE CONNECT-OWNER=AEA1 CONNECT-DATE=24.134 CONNECTS= 00 UACC=NONE LAST-CONNECT=UNKNOWN CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE SECURITY-LEVEL=NONE SPECIFIED CATEGORY-AUTHORIZATION NONE SPECIFIED SECURITY-LABEL=NONE SPECIFIED ******************************** Bottom of Data ******************************** COMMAND ===> SCROLL ===> PAGE F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Deletar Usuário
Vamos ver onde se deleta usuário do RACF - Para excluir - menu inicial - Opção 4RACF - SERVICES OPTION MENU SELECT ONE OF THE FOLLOWING: 1 DATA SET PROFILES 2 GENERAL RESOURCE PROFILES 3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS 4 USER PROFILES AND YOUR OWN PASSWORD 5 SYSTEM OPTIONS 6 REMOTE SHARING FACILITY 7 DIGITAL CERTIFICATES AND KEY RINGS 99 EXIT Licensed Materials - Property of IBM 5647-A01 (C) Copyright IBM Corp. 1983, 2000 All Rights Reserved - U.S. Government Users OPTION ===> 4 F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Opção 3 + usuário que queremos deletar
RACF - USER PROFILE SERVICES SELECT ONE OF THE FOLLOWING: 1 ADD Add a user profile 2 CHANGE Change a user profile 3 DELETE Delete a user profile 4 PASSWORD Change your own password and related information 5 AUDIT Monitor user activity (Auditors only) D or 8 DISPLAY Display profile contents S or 9 SEARCH Search the RACF data base for profiles ENTER THE FOLLOWING INFORMATION: USER ===> AAFBXXXX Userid OPTION ===> 3 F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Confirmando
RACF - DELETE USER USER: AAFBXXXX To confirm the delete request, press the ENTER key. (The user profile will be deleted.) To cancel the delete request, enter the END command. COMMAND ===> F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Deletado - ao pesquisar - opção 8
RACF - USER PROFILE SERVICES PROFILE DELETED SELECT ONE OF THE FOLLOWING: 1 ADD Add a user profile 2 CHANGE Change a user profile 3 DELETE Delete a user profile 4 PASSWORD Change your own password and related information 5 AUDIT Monitor user activity (Auditors only) D or 8 DISPLAY Display profile contents S or 9 SEARCH Search the RACF data base for profiles ENTER THE FOLLOWING INFORMATION: USER ===> AAFBXXXX Userid OPTION ===> F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Enter
RACF - DISPLAY FOR USER PROFILE COMMAND ===> To select the following options, enter any character. _ TSO _ NETVIEW _ DFP _ DCE _ OPERPARM _ OVM _ CICS _ LNOTES _ NATIONAL LANGUAGE _ NDS _ WORK ATTRIBUTES _ KERBEROS _ LDAP PROXY _ OMVS _ EIM _ Exclude basic RACF information F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Usuário não existe mais
BROWSE - RACF COMMAND OUTPUT------------------------ LINE 00000000 COL 001 080 ********************************* Top of Data ********************************** ICH30001I UNABLE TO LOCATE USER ENTRY AAFBXXXX ******************************** Bottom of Data ******************************** COMMAND ===> SCROLL ===> PAGE F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Se ao deletar o usuário der essa mensagem de erro - significa que o RACF não pode deletar pois o usuário esta com profiles de dataset criadas, e por isso ele não pode deletar
ICH04009I UXXXXX CANNOT BE DELETED. DATA SET PROFILES STILL EXIST.
Vamos acessar a opção P.6 - para dar comandos
CUSTOMPAC MASTER APPLICATION MENU OPTION ===> p.6 SCROLL ===> PAGE USERID - IBMUSER TIME - 07:24 IS ISMF - Interactive Storage Management Facility P PDF - ISPF/Program Development Facility IP IPCS - Interactive Problem Control Facility DI DITTO - Data Interfile Transfer, Testing and Operations SD SDSF - System Display and Search Facility IC ICSF - Integrated Cryptographic Service Facility HC HCD - Hardware Configuration Definition BMR BMR READ - BookManager Read (Read Online Documentation) BMI BMR INDX - BookManager Read (Create Bookshelf Index) S SORT - DF/SORT Dialogs OU USER - z/OS ISPF User Options R RACF - Resource Access Control Facility OS SUPPORT - z/OS ISPF System Support Options SM SMP/E - SMP/E Dialogs TS TSS - TOP SECRET F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Vamos dar os comandos para deletar o dataset de profile e deletar o usuário direto
Menu List Mode Functions Utilities Help ------------------------------------------------------------------------------ ISPF Command Shell Enter TSO or Workstation commands below: ===> Place cursor on choice and press enter to Retrieve command => LISTDSD DA(TESTUSER.**) GENERIC => => => => => => => => => F1=Help F2=Split F3=Exit F7=Backward F8=Forward F9=Swap F10=Actions F12=Cancel
Comandos que vamos dar - com esses comandos conseguimos deletar o dataset do usuário e deletar o usuário
1 comando - LISTDSD DA(TESTUSER.**) GENERIC 2 comando - DELDSD TESTUSER.** 3 comando - DELUSER testuser
Criar Usuário
Vamos cadastrar o usuário dentro do RACF - a opção 4 e tecle enterRACF - SERVICES OPTION MENU OPTION ===> 4 SELECT ONE OF THE FOLLOWING: 1 DATA SET PROFILES 2 GENERAL RESOURCE PROFILES 3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS 4 USER PROFILES AND YOUR OWN PASSWORD 5 SYSTEM OPTIONS 6 REMOTE SHARING FACILITY 7 DIGITAL CERTIFICATES, KEY RINGS, AND TOKENS 99 EXIT Licensed Materials - Property of IBM 5647-A01 (C) Copyright IBM Corp. 1983, 2000 All Rights Reserved - U.S. Government Users Restricted Rights, Use, Duplication or Disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Opção 1 ADD - TSSUSER
RACF - USER PROFILE SERVICES OPTION ===> 1 SELECT ONE OF THE FOLLOWING: 1 ADD Add a user profile 2 CHANGE Change a user profile 3 DELETE Delete a user profile 4 PASSWORD Change your own password and related information 5 AUDIT Monitor user activity (Auditors only) D or 8 DISPLAY Display profile contents S or 9 SEARCH Search the RACF data base for profiles ENTER THE FOLLOWING INFORMATION: USER ===> TSSUSER Userid
Depois disso, você terá a oportunidade de fornecer mais informações sobre o usuário, como nome de usuário, grupo padrão e senha (A senha inicial colocamos SYS1 e confirmamos).
RACF - ADD USER TSSUSER COMMAND ===> ENTER THE FOLLOWING INFORMATION: OWNER IBMUSER_ Userid or group name USER NAME CSA_________________ DEFAULT GROUP SYS1____ Group name PASSWORD (case sensitive) ===> sys1 <=== User s initial password (case sensitive) ===> sys1 <=== Re-enter password to verify PHRASE (case sensitive) ===> <=== Up to 100 characters in quotes ===> <=== Re-enter phrase to verify INTERVAL ___ 1 - 254 (days), NO, or blank
Só colocamos YES essas opções
RACF - ADD USER TSSUSER COMMAND ===> TO ASSIGN USER ATTRIBUTES, ENTER YES: GROUP ACCESS ===> YES SPECIAL ===> YES ADSP ===> NO OPERATIONS ===> YES OIDCARD ===> NO AUDITOR ===> NO NO-PASSWORD ===> NO RESTRICTED ===> NO IDENTIFY THE MODEL PROFILE FOR USER DATA SETS (OPTIONAL): MODEL PROFILE ===> TO CREATE THE FOLLOWING, ENTER YES (OPTIONAL): A GENERIC DATA SET PROFILE ===> YES A MINIDISK PROFILE ===> NO TO ADD OPTIONAL INFORMATION, ENTER YES ===> yes
Marcamos a opção - / TSO PARAMETERS
RACF - ADD USER MASTER COMMAND ===> To ADD the following information, enter any character: _ CLASS AUTHORITY _ NDS PARAMETERS _ INSTALLATION DATA _ KERB PARAMETERS _ GROUP AUTHORITY _ LDAP PROXY PARAMETERS _ SECURITY LEVEL or CATEGORIES _ ENTERPRISE IDENTITY MAPPING _ SECURITY LABEL _ CSDATA PARAMETERS _ LOGON RESTRICTIONS _ NATIONAL LANGUAGES _ DFP PARAMETERS / TSO PARAMETERS _ OPERPARM PARAMETERS _ CICS PARAMETERS _ WORK ATTRIBUTES _ OMVS PARAMETERS _ NETVIEW PARAMETERS _ DCE PARAMETERS _ OVM PARAMETERS _ LNOTES PARAMETERS
Colocamos essas padrões
RACF - ADD USER MASTER TSO-RELATED INFORMATION COMMAND ===> ENTER THE FOLLOWING TSO-RELATED INFORMATION: JOB CLASS ===> MESSAGE CLASS ===> HOLD CLASS ===> SYSOUT CLASS ===> ACCOUNT NUMBER ===> ACCT# LOGON PROCEDURE NAME ===> ISPFPROC REGION SIZE ===> UNIT ===> DESTINATION ID ===> MAXIMUM REGION SIZE ===> USER DATA ===> LOGON SECURITY LABEL ===> COMMAND ===> ISPF ===>
Feito
RACF - USER PROFILE SERVICES Profile changed OPTION ===> SELECT ONE OF THE FOLLOWING: 1 ADD Add a user profile 2 CHANGE Change a user profile 3 DELETE Delete a user profile 4 PASSWORD Change your own password and related information 5 AUDIT Monitor user activity (Auditors only) D or 8 DISPLAY Display profile contents S or 9 SEARCH Search the RACF data base for profiles ENTER THE FOLLOWING INFORMATION: USER ===> TSSUSER Userid
Tecle PF3 para sair - Nosso trabalho aqui está quase concluído, mas não agora. Após salvar o trabalho anterior, precisamos voltar ao painel principal do RACF. Quando voltarmos ao painel principal precisamos abrir o painel "GROUP PROFILES AND USER-TO-GROUP CONNECTIONS" opção 3
RACF - SERVICES OPTION MENU OPTION ===> 3 SELECT ONE OF THE FOLLOWING: 1 DATA SET PROFILES 2 GENERAL RESOURCE PROFILES 3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS 4 USER PROFILES AND YOUR OWN PASSWORD 5 SYSTEM OPTIONS 6 REMOTE SHARING FACILITY 7 DIGITAL CERTIFICATES, KEY RINGS, AND TOKENS 99 EXIT Licensed Materials - Property of IBM 5647-A01 (C) Copyright IBM Corp. 1983, 2000 All Rights Reserved - U.S. Government Users Restricted Rights, Use, Duplication or Disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Neste painel você pode criar, alterar, conectar ou até mesmo remover um grupo do z/OS. Queremos conectar os novos usuários do TSO aos seus grupos de sistemas específicos.
RACF - GROUP PROFILE SERVICES OPTION ===> 4 SELECT ONE OF THE FOLLOWING. 1 ADD Add a group profile 2 CHANGE Change a group profile 3 DELETE Delete a group profile 4 CONNECT Add or change a user connection 5 REMOVE Remove users from the group D or 8 DISPLAY Display profile contents S or 9 SEARCH Search the RACF data base for profiles ENTER THE FOLLOWING INFORMATION. GROUP NAME ===>
O primeiro grupo é denominado "sys1", o segundo é denominado "sysctlg" e o último é "vsamdset". Para realmente adicionar o novo usuário TSO, você precisa seguir estas etapas: Grupo SYS1
RACF - GROUP PROFILE SERVICES OPTION ===> 4 SELECT ONE OF THE FOLLOWING. 1 ADD Add a group profile 2 CHANGE Change a group profile 3 DELETE Delete a group profile 4 CONNECT Add or change a user connection 5 REMOVE Remove users from the group D or 8 DISPLAY Display profile contents S or 9 SEARCH Search the RACF data base for profiles ENTER THE FOLLOWING INFORMATION. GROUP NAME ===> SYS1
Vamos colocar essas configurações
RACF - ADD OR CHANGE CONNECTION TO SYS1 COMMAND ===> IDENTIFY THE USER: USER ===> tssuser Userid ENTER THE CONNECTION INFORMATION TO BE ADDED OR CHANGED: OWNER ===> IBMUSER Userid or group name DEFAULT UACC ===> READ NONE, READ, UPDATE, CONTROL, or ALTER GROUP AUTHORITY ===> JOIN USE, CREATE, CONNECT, or JOIN Press ENTER to continue.
Colocamos essas opções
RACF - ADD OR CHANGE CONNECTION TO SYS1 COMMAND ===> TO ALLOW USER ATTRIBUTES, ENTER YES TO DENY USER ATTRIBUTES, ENTER NO GROUP ACCESS ===> YES Allow the group to access new group data sets ADSP ===> Create discrete profiles for new permanent data sets REVOKE ===> YES, NO, mm/dd/yy (date), or blank RESUME ===> YES, NO, mm/dd/yy (date), or blank SPECIAL ===> YES Grant group-SPECIAL attribute OPERATIONS ===> YES Grant group-OPERATIONS attribute AUDITOR ===> Grant group-AUDITOR attribute
Feito
RACF - GROUP PROFILE SERVICES USER CONNECTED OPTION ===> SELECT ONE OF THE FOLLOWING. 1 ADD Add a group profile 2 CHANGE Change a group profile 3 DELETE Delete a group profile 4 CONNECT Add or change a user connection 5 REMOVE Remove users from the group D or 8 DISPLAY Display profile contents S or 9 SEARCH Search the RACF data base for profiles ENTER THE FOLLOWING INFORMATION. GROUP NAME ===> SYS1
Isso foi para o grupo “ sys1 ”, repita os passos anteriores para os outros dois grupos. Depois de seguir as etapas agora, o novo usuário do TSO está quase pronto para usar, mas precisamos fazer apenas uma coisa:
Menu Utilities Compilers Options Status Help -------------------------------------------------------------------------------- ISPF Primary Option Menu Option ===> 6 0 Settings Terminal and user parameters User ID . : IBMUSER 1 View Display source data or listings Time. . . : 08:46 2 Edit Create or change source data Terminal. : 3278 3 Utilities Perform utility functions Screen. . : 1 4 Foreground Interactive language processing Language. : ENGLISH 5 Batch Submit job for language processing Appl ID . : ISR 6 Command Enter TSO or Workstation commands TSO logon : ISPFPROC 7 Dialog Test Perform dialog testing TSO prefix: 9 IBM Products IBM program development products System ID : ADCD 10 SCLM SW Configuration Library Manager MVS acct. : ACCT# 11 Workplace ISPF Object/Action Workplace Release . : ISPF 6.0 M More Additional IBM Products Enter X to Terminate using log/list defaults
Depois de abrir a linha de comando no z/OS, você precisará colar esses comandos um após um. Você pode simplesmente digitá-lo e clicar em Enter.
pe acct# class(acctnum) id(TSSUSER) access(read) pe acct class(tsoauth) id(TSSUSER) access(read) pe jcl class(tsoauth) id(TSSUSER) access(read) pe oper class(tsoauth) id(TSSUSER) access(read)
Executados com sucesso
Menu List Mode Functions Utilities Help -------------------------------------------------------------------------------- ISPF Command Shell Enter TSO or Workstation commands below: ===> Place cursor on choice and press enter to Retrieve command => pe oper class(tsoauth) id(TSSUSER) access(read) => pe jcl class(tsoauth) id(TSSUSER) access(read) => pe acct class(tsoauth) id(TSSUSER) access(read) => pe acct# class(acctnum) id(TSSUSER) access(read) => pe acct# class(acctnum) id(CSA) access(read) => DELUSER master => DELDSD master.* => SETROPTS GENERIC(DATASET) REFRESH => LISTDSD DA(MASTER.*) GENERIC => makesite hlq=tcpip
Após este ponto, o novo usuário TSO está totalmente concluído e funciona completamente. Agora a última coisa a fazer é testar o usuário e tentar fazer o login:
z/OS Z110 Level 0809 IP Address = VTAM Terminal = LCL702 Application Developer System // OOOOOOO SSSSS // OO OO SS zzzzzz // OO OO SS zz // OO OO SSSS zz // OO OO SS zz // OO OO SS zzzzzz // OOOOOOO SSSS System Customization - ADCD.Z110.* ===> Enter "LOGON" followed by the TSO userid. Example "LOGON IBMUSER" or ===> Enter L followed by the APPLID ===> Examples: "L TSO", "L CICS", "L IMS3270 l tso
Vamos logar com o nosso novo usuário
IKJ56700A ENTER USERID - tssuserApós este ponto, o novo usuário TSO está totalmente concluído e funciona completamente. Agora a última coisa a fazer é testar o usuário e tentar fazer o login:
------------------------------- TSO/E LOGON ----------------------------------- Enter LOGON parameters below: RACF LOGON parameters: Userid ===> TSSUSER Password ===> sys1 New Password ===> Procedure ===> ISPFPROC Group Ident ===> Acct Nmbr ===> ACCT# Size ===> Perform ===> Command ===> ISPF Enter an 'S' before each option desired below: -Nomail -Nonotice -Reconnect -OIDcard PF1/PF13 ==> Help PF3/PF15 ==> Logoff PA1 ==> Attention PA2 ==> Reshow You may request specific help information by entering a '?' in any entry field
Então você pode ver que me diz "CURRENT PASSWORD HAS EXPIRED - PLEASE ENTER NEW PASSWORD" Então neste caso basta digitar uma nova senha para o usuário “TSSUSER”.
------------------------------- TSO/E LOGON ----------------------------------- IKJ56415I CURRENT PASSWORD HAS EXPIRED - PLEASE ENTER NEW PASSWORD IKJ56429A REENTER - Enter LOGON parameters below: RACF LOGON parameters: Userid ===> TSSUSER Password ===> *New Password ===> ibmuser Procedure ===> ISPFPROC Group Ident ===> Acct Nmbr ===> ACCT# Size ===> Perform ===> Command ===> ISPF Enter an 'S' before each option desired below: -Nomail -Nonotice -Reconnect -OIDcard PF1/PF13 ==> Help PF3/PF15 ==> Logoff PA1 ==> Attention PA2 ==> Reshow You may request specific help information by entering a '?' in any entry field
Então você pode ver que me diz "IKJ56447A Reenter the new password in the NEW PASSWORD field for verification". Então neste caso basta digitar uma nova senha para o usuário “TSSUSER”. Após inserir novamente a nova senha:
------------------------------- TSO/E LOGON ----------------------------------- IKJ56447A Reenter the new password in the NEW PASSWORD field for verification Enter LOGON parameters below: RACF LOGON parameters: Userid ===> TSSUSER Password ===> *New Password ===> ibmuser Procedure ===> ISPFPROC Group Ident ===> Acct Nmbr ===> ACCT# Size ===> Perform ===> Command ===> ISPF Enter an 'S' before each option desired below: -Nomail -Nonotice -Reconnect -OIDcard PF1/PF13 ==> Help PF3/PF15 ==> Logoff PA1 ==> Attention PA2 ==> Reshow You may request specific help information by entering a '?' in any entry field
Acessamos
ICH70001I TSSUSER LAST ACCESS AT 09:05:03 ON THURSDAY, MAY 16, 2024 ***
Acessamos
TSSUSER LOGON IN PROGRESS AT 09:08:11 ON MAY 16, 2024 NO BROADCAST MESSAGES ***************************************************************** * * * APPLICATION DEVELOPER'S CONTROLLED DISTRIBUTION (ADCD) * * * * ADCD.Z110.CLIST(ISPFCL) PRODUCES THIS MESSAGE * * ADCD.* DATASETS CONTAIN SYSTEM CUSTOMIZATION * * SMP/E DATASETS CAN BE LOCATED FROM 3.4 WITH DSNAME **.CSI * * HTTP://DTSC.DFW.IBM.COM/ADCD.HTML CONTAINS DOCUMENTATION * * * * USERID PASSWORD COMMENT * * ---------------- ------------ -------------- * * IBMUSER - SYS1/IBMUSER FULL AUTHORITY * * ADCDMST - ADCDMST FULL AUTHORITY * * ADCDA THRU ADCDZ - TEST LIMITED AUTHORITY(NO OMVS)* * OPEN1 THRU OPEN3 - SYS1 UID(0) (NO TSO) * * * ***************************************************************** ISPF ***
Acessamos
Menu Utilities Compilers Options Status Help -------------------------------------------------------------------------------- ISPF Primary Option Menu 0 Settings Terminal and user parameters User ID . : TSSUSER 1 View Display source data or listings Time. . . : 09:08 2 Edit Create or change source data Terminal. : 3278 3 Utilities Perform utility functions Screen. . : 1 4 Foreground Interactive language processing Language. : ENGLISH 5 Batch Submit job for language processing Appl ID . : ISR 6 Command Enter TSO or Workstation commands TSO logon : ISPFPROC 7 Dialog Test Perform dialog testing TSO prefix: TSSUSER 9 IBM Products IBM program development products System ID : ADCD +-----------------------------------------------+r MVS acct. : ACCT# ! Licensed Materials - Property of IBM ! Release . : ISPF 6.0 ! 5694-A01 Copyright IBM Corp. 1980, 2008. ! ! All rights reserved. ! ! US Government Users Restricted Rights - ! ! Use, duplication or disclosure restricted !s ! by GSA ADP Schedule Contract with IBM Corp. ! +-----------------------------------------------+ Option ===> F1=Help F2=Split F3=Exit F7=Backward F8=Forward F9=Swap F10=Actions F12=Cancel
Resumo dos Comandos RACF
Comandos do RACFADDGROUP (Add group profile) ADDSD (Add data set profile) ADDUSER (Add user profile) ALTDSD (Alter data set profile) ALTGROUP (Alter group profile) ALTUSER (Alter user profile) CONNECT (Connect user to group) DELDSD (Delete data set profile) DELGROUP (Delete group profile) DELUSER (Delete user profile) DISPLAY (Display signed-on-from list) HELP (Obtain RACF help) LISTDSD (List data set profile) LISTGRP (List group profile) LISTUSER (List user profile) PASSWORD or PHRASE (Specify user password or password phrase) PERMIT (Maintain resource access lists) RACDCERT (Manage RACF digital certificates) RACLINK (Administer user ID associations) RACMAP (Create, delete, list, or query a distributed identity filter) RACPRIV (Set write-down privileges) RACPRMCK (Validate parmlib member syntax) RALTER (Alter general resource profile) RDEFINE (Define general resource profile) RDELETE (Delete general resource profile) REMOVE (Remove user from group) RESTART (Restart RACF subsystem functions) RLIST (List general resource profile) RVARY (Change status of RACF database) SEARCH (Search RACF database) SET SETROPTS (Set RACF options) SIGNOFF (Sign off sessions) STOP (Stop RACF subsystem) TARGET (Manage RRSF nodes)
Mapa
+-----------+-----------+-----------+-----------+ | | | | GENERAL | | USER | GROUP | DATASET | RESOURCE | +-----------+-----------+-----------+-----------+ | ADDUSER | ADDGROUP | ADDSD | RDEFINE | | ALTUSER | ALTGROUP | ALTDSD | RALTER | | DELUSER | DELGROUP | DELDSD | RDELETE | | LISTUSER | LISTGRP | LISTDSD | RLIST | | PASSWORD | | | | | PHRASE | | | | +-----------+-----------+-----------+-----------+ | CONNECT | | | REMOVE | PERMITE | +-----------------------+-----------------------+
Comandos executados
Resetar a senha do usuário TEXASALU texas RESUME PASS(missa)
P.6
CUSTOMPAC MASTER APPLICATION MENU OPTION ===> P.6 SCROLL ===> PAGE USERID - TSSUSER TIME - 07:59 IS ISMF - Interactive Storage Management Facility P PDF - ISPF/Program Development Facility IP IPCS - Interactive Problem Control Facility DI DITTO - Data Interfile Transfer, Testing and Operations SD SDSF - System Display and Search Facility IC ICSF - Integrated Cryptographic Service Facility HC HCD - Hardware Configuration Definition BMR BMR READ - BookManager Read (Read Online Documentation) BMI BMR INDX - BookManager Read (Create Bookshelf Index) S SORT - DF/SORT Dialogs OU USER - z/OS ISPF User Options R RACF - Resource Access Control Facility OS SUPPORT - z/OS ISPF System Support Options SM SMP/E - SMP/E Dialogs TS TSS - TOP SECRET F1=HELP F2=SPLIT F3=END F4=RETURN F5=RFIND F6=RCHANGE F7=UP F8=DOWN F9=SWAP F10=LEFT F11=RIGHT F12=RETRIEVE
Resetar a Senha
Comando para resetar a senha - ALU TEXAS RESUME PASS(missa)Menu List Mode Functions Utilities Help ------------------------------------------------------------------------------ ISPF Command Shell Enter TSO or Workstation commands below: ===> ALU TEXAS RESUME PASS(missa) Place cursor on choice and press enter to Retrieve command => => => => => => => => => => F1=Help F2=Split F3=Exit F7=Backward F8=Forward F9=Swap F10=Actions F12=Cancel
Display do Usuário
LISTUSER usuarioMenu List Mode Functions Utilities Help ------------------------------------------------------------------------------ ISPF Command Shell Enter TSO or Workstation commands below: ===> LISTUSER TEXAS Place cursor on choice and press enter to Retrieve command => LISTUSER TEXAS => LISTUSER => ALU TEXAS RESUME PASS(missa) => => => => => => => F1=Help F2=Split F3=Exit F7=Backward F8=Forward F9=Swap F10=Actions F12=Cancel
Resultado
USER=TEXAS NAME=UNKNOWN OWNER=DEPART CREATED=24.131 DEFAULT-GROUP=DEPART PASSDATE=00.000 PASS-INTERVAL= 30 PHRASEDATE=N/A ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE LAST-ACCESS=24.135/08:01:59 CLASS AUTHORIZATIONS=NONE INSTALLATION-DATA=TEXAS NO-MODEL-NAME LOGON ALLOWED (DAYS) (TIME) --------------------------------------------- ANYDAY ANYTIME GROUP=DPTAB AUTH=USE CONNECT-OWNER=DEPART CONNECT-DATE=24.131 CONNECTS= 00 UACC=NONE LAST-CONNECT=UNKNOWN CONNECT ATTRIBUTES=NONE
SETROPTS LIST
Display da SETROPTSMenu List Mode Functions Utilities Help ------------------------------------------------------------------------------ ISPF Command Shell Enter TSO or Workstation commands below: ===> SETROPTS LIST Place cursor on choice and press enter to Retrieve command => SETROPTS LIST => LISTDSD DATASET('cpac' ) ALL GENERIC => LISTDSD DATASET('sys1' ) ALL GENERIC => LISTUSER => LISTDSD DATASET('cpac') ALL => LISTDSD DATASET('ibm') ALL => LISTDSD DATASET('ibm') ALL => => => F1=Help F2=Split F3=Exit F7=Backward F8=Forward F9=Swap F10=Actions F12=Cancel
Resultado
ATTRIBUTES = INITSTATS NOWHEN(PROGRAM) STATISTICS = NONE ACTIVE CLASSES = DATASET USER GROUP ACCTNUM JESJOBS TSOAUTH TSOPROC GENERIC PROFILE CLASSES = DATASET JESJOBS STARTED TSOAUTH GENERIC COMMAND CLASSES = DATASET ACCTNUM JESJOBS STARTED TSOAUTH GENLIST CLASSES = NONE GLOBAL CHECKING CLASSES = NONE SETR RACLIST CLASSES = NONE GLOBAL=YES RACLIST ONLY = NONE AUTOMATIC DATASET PROTECTION IS IN EFFECT ENHANCED GENERIC NAMING IS IN EFFECT REAL DATA SET NAMES OPTION IS INACTIVE JES-BATCHALLRACF OPTION IS INACTIVE JES-XBMALLRACF OPTION IS INACTIVE JES-EARLYVERIFY OPTION IS INACTIVE PROTECT-ALL IS ACTIVE, CURRENT OPTIONS: PROTECT-ALL WARNING OPTION IS IN EFFECT TAPE DATA SET PROTECTION IS INACTIVE SECURITY RETENTION PERIOD IN EFFECT IS 0 DAYS. ERASE-ON-SCRATCH IS INACTIVE SINGLE LEVEL NAMES NOT ALLOWED LIST OF GROUPS ACCESS CHECKING IS INACTIVE. INACTIVE USERIDS ARE NOT BEING AUTOMATICALLY REVOKED. NO DATA SET MODELLING BEING DONE. PASSWORD PROCESSING OPTIONS: PASSWORD CHANGE INTERVAL IS 30 DAYS. PASSWORD MINIMUM CHANGE INTERVAL IS 0 DAYS. MIXED CASE PASSWORD SUPPORT IS NOT IN EFFECT 3 GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED. AFTER 3 CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED. PASSWORD EXPIRATION WARNING LEVEL IS 3 DAYS. INSTALLATION PASSWORD SYNTAX RULES: RULE 1 LENGTH(4:8) ******** LEGEND: A-ALPHA C-CONSONANT L-ALPHANUM N-NUMERIC V-VOWEL W-NOVOWEL *-ANYTHING c-MIXED CONSONANT m-MIXED NUMERIC v-MIXED VOWEL $-NATIONAL DEFAULT RVARY PASSWORD IS IN EFFECT FOR THE SWITCH FUNCTION. DEFAULT RVARY PASSWORD IS IN EFFECT FOR THE STATUS FUNCTION. SECLABEL CONTROL IS NOT IN EFFECT GENERIC OWNER ONLY IS NOT IN EFFECT COMPATIBILITY MODE IS NOT IN EFFECT MULTI-LEVEL QUIET IS NOT IN EFFECT MULTI-LEVEL STABLE IS NOT IN EFFECT NO WRITE-DOWN IS NOT IN EFFECT MULTI-LEVEL ACTIVE IS NOT IN EFFECT CATALOGUED DATA SETS ONLY, IS NOT IN EFFECT USER-ID FOR JES NJEUSERID IS : ???????? USER-ID FOR JES UNDEFINEDUSER IS : ++++++++ PARTNER LU-VERIFICATION SESSIONKEY INTERVAL MAXIMUM/DEFAULT IS 30 DAYS. ADDCREATOR IS NOT IN EFFECT KERBLVL = 0 MULTI-LEVEL FILE SYSTEM IS NOT IN EFFECT MULTI-LEVEL INTERPROCESS COMMUNICATIONS IS NOT IN EFFECT MULTI-LEVEL NAME HIDING IS NOT IN EFFECT SECURITY LABEL BY SYSTEM IS NOT IN EFFECT PRIMARY LANGUAGE DEFAULT : ENU SECONDARY LANGUAGE DEFAULT : ENU ***
Criando Usuário via Job
Um exemplo de como vamos criar um usuário via job para acessar o TSO//AAFSNATC JOB (AAFA,DIBD),CLAU,CLASS=S,MSGCLASS=A //* -------------------------------------------------------------- //* CRIANDO UM USUARIO NO RACF //* -------------------------------------------------------------- //S0 EXEC PGM=IKJEFT01,DYNAMNBR=75,TIME=100,REGION=6M //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //SYSTERM DD DUMMY //SYSUADS DD DSN=SYS1.UADS,DISP=SHR //SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR //SYSTSIN DD * DELUSER MASTER ADDUSER MASTER + NAME('MESTRE') + OWNER(IBMUSER) + PASSWORD(INITPW) + TSO( + ACCTNUM(ACCT#) + PROC(ISPFPROC) + COMMAND(ISPF) + JOBCLASS(A) + MSGCLASS(X) + HOLDCLASS(X) + SYSOUTCLASS(X) + SIZE(40000) + MAXSIZE(0) ) + OMVS(HOME('/HOME/MASTER ') + PROGRAM('/BIN/SH') + UID(512) ) PERMIT JCL CLASS(TSOAUTH) ID(MASTER ) ACCESS(READ) PERMIT OPER CLASS(TSOAUTH) ID(MASTER ) ACCESS(READ) PERMIT ACCT# CLASS(ACCTNUM) ID(MASTER ) ACCESS(READ) PERMIT ISPFPROC CLASS(TSOPROC) ID(MASTER ) ACCESS(READ) SETROPTS REFRESH RACLIST(TSOPROC) SETROPTS REFRESH RACLIST(TSOAUTH) SETROPTS REFRESH RACLIST(ACCTNUM)
0 comentários:
Enviar um comentário