'Re: Service machines in z/VM'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Service machines in z/VM
From:       Dovid Wakser <0000051422d81dd4-dmarc-request () LISTSERV ! UGA ! EDU>
Date:       2016-09-12 12:46:28
Message-ID: 001901d20cf3$b251feb0$16f5fc10$ () com
[Download RAW message or body]

Thanks. All these users have always been set up with LOGONBY but I never
removed the passwords and/or password phrases. I will consider using RESUME
until I have the time to change and test things.

-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of
Boyer, William L
Sent: Monday, September 12, 2016 1:40 PM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: Service machines in z/VM

David, 
If you are at zVM 6.3, you can change all your service machine user id in
RACF to "PROTECTED" user ids by deleting the password, and password phrase.
If you list the user id it should show an ATTRIBUTES=PROTECTED.

If you are not at zVM 6.3 then you will need to do a ALU userid RESUME on
all the service machine ids at an interval less than your autorevoke
interval.  I wrote a REXX EXEC to do an ALU on all service machines for the
RACF administrator.  

NOTE:  If you need to login to a protected user id you will need to create a
LOGONBY.userid.   Give the group (system programmers) READ permission to the
profile.  Then to logon you must do a LOGON userid BY sysprogid and when
prompted give the sysprogid password.


William Boyer
Principal Administrator, Mainframe Systems General Dynamics Health Solutions
One W. Pennsylvania Ave.
Baltimore, MD 21204
(410) 842-1706
(410) 832-8329 fax
william.boyer@gdit.com
www.gdhealth.com





-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of
Dovid Wakser
Sent: Thursday, September 08, 2016 8:59 AM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Service machines in z/VM

All:

	I had a relatively unpleasant surprise on Monday. We re-IPLed z/VM
for the first time since implementing RACF, in February. And, to my
surprise, many of the "service" machines (which run constantly) had been
"revoked" - including AUTOLOG2, OPERATOR, TCPIP, VMSERV(S, U, R, & P). 

	I thought of a few methods of making certain this does not happen in
the future (e.g. IPL every month). However, I wanted to know what OTHER z/VM
shops are doing to prevent this.

	Thanks, in advance.

David Wakser
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic