Resource Access Control Facility

Last updated June 03, 2024

RACF [pronounced Rack-Eff], short for Resource Access Control Facility, is an IBM software product. It is a security system that provides access control and auditing functionality for the z/OS and z/VM operating systems. RACF was introduced in 1976.^[1] Originally called RACF it was renamed to z/OS Security Server (RACF), although most mainframe folks^{[ who? ]} still refer to it as RACF.^[2]

Identification and verification of a user via user id and password check (authentication)
Identification, classification and protection of system resources
Maintenance of access rights to the protected resources (access control)
Controlling the means of access to protected resources
Logging of accesses to a protected system and protected resources (auditing)

RACF establishes security policies rather than just permission records. It can set permissions for file patterns—that is, set the permissions even for files that do not yet exist. Those permissions are then used for the file (or other object) created at a later time.^[3]

Community

There is a long established technical support community for RACF based around a LISTSERV operated out of the University of Georgia. The list is called RACF-L which is described as RACF Discussion List. The email address of the listserv is RACF-L@LISTSERV.UGA.EDU and can also be viewed via a webportal at https://listserv.uga.edu/scripts/wa-UGA.exe .^[4]^[5]

Books

The first text book published (first printing December 2007) aimed at giving security professionals an introduction to the concepts and conventions of how RACF is designed and administered was Mainframe Basics for Security Professionals: Getting Started with RACF by Ori Pomerantz, Barbara Vander Weele, Mark Nelson, and Tim Hahn.^[3]

Evolution

RACF has continuously evolved^[6] to support such modern security features as digital certificates/public key infrastructure services, LDAP interfaces, and case sensitive IDs/passwords. The latter is a reluctant concession to promote interoperability with other systems, such as Unix and Linux. The underlying zSeries (now IBM Z) hardware works closely with RACF. For example, digital certificates are protected within tamper-proof cryptographic processors. Major mainframe subsystems, especially Db2, use RACF to provide multi-level security (MLS).

Its primary competitors have been ACF2 and TopSecret, both now produced by CA Technologies.^[7]

Related Research Articles

Multiple Virtual Storage, more commonly called MVS, is the most commonly used operating system on the System/370, System/390 and IBM Z IBM mainframe computers. IBM developed MVS, along with OS/VS1 and SVS, as a successor to OS/360. It is unrelated to IBM's other mainframe operating system lines, e.g., VSE, VM, TPF.

A mainframe computer, informally called a mainframe or big iron, is a computer used primarily by large organizations for critical applications like bulk data processing for tasks such as censuses, industry and consumer statistics, enterprise resource planning, and large-scale transaction processing. A mainframe computer is large but not as large as a supercomputer and has more processing power than some other classes of computers, such as minicomputers, servers, workstations, and personal computers. Most large-scale computer-system architectures were established in the 1960s, but they continue to evolve. Mainframe computers are often used as servers.

An operating system (OS) is system software that manages computer hardware and software resources, and provides common services for computer programs.

VSEⁿ is an operating system for IBM mainframe computers, the latest one in the DOS/360 lineage, which originated in 1965. It is less common than z/OS and is mostly used on smaller machines.

z/OS is a 64-bit operating system for IBM z/Architecture mainframes, introduced by IBM in October 2000. It derives from and is the successor to OS/390, which in turn was preceded by a string of MVS versions. Like OS/390, z/OS combines a number of formerly separate, related products, some of which are still optional. z/OS has the attributes of modern operating systems but also retains much of the older functionality that originated in the 1960s and is still in regular use—z/OS is designed for backward compatibility.

Db2 is a family of data management products, including database servers, developed by IBM. It initially supported the relational model, but was extended to support object–relational features and non-relational structures like JSON and XML. The brand name was originally styled as DB2 until 2017, when it changed to its present form.

VM is a family of IBM virtual machine operating systems used on IBM mainframes System/370, System/390, zSeries, System z and compatible systems, including the Hercules emulator for personal computers.

IBM CICS is a family of mixed-language application servers that provide online transaction management and connectivity for applications on IBM mainframe systems under z/OS and z/VSE.

WebSphere Application Server (WAS) is a software product that performs the role of a web application server. More specifically, it is a software framework and middleware that hosts Java-based web applications. It is the flagship product within IBM's WebSphere software suite. It was initially created by Donald F. Ferguson, who later became CTO of Software for Dell. The first version was launched in 1998. This project was an offshoot from IBM HTTP Server team starting with the Domino Go web server.

A mainframe audit is a comprehensive inspection of computer processes, security, and procedures,with recommendations for improvement.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

In computing, a Parallel Sysplex is a cluster of IBM mainframes acting together as a single system image with z/OS. Used for disaster recovery, Parallel Sysplex combines data sharing and parallel computing to allow a cluster of up to 32 systems to share a workload for high performance and high availability.

IBM System z9 is a line of IBM mainframe computers. The first models were available on September 16, 2005. The System z9 also marks the end of the previously used eServer zSeries naming convention. It was also the last mainframe computer that NASA ever used.

IBM Z is a family name used by IBM for all of its z/Architecture mainframe computers. In July 2017, with another generation of products, the official family was changed to IBM Z from IBM z Systems; the IBM Z family now includes the newest model, the IBM z16, as well as the z15, the z14, and the z13, the IBM zEnterprise models, the IBM System z10 models, the IBM System z9 models and IBM eServer zSeries models.

IBM System Management Facility (SMF) is a component of IBM's z/OS for mainframe computers, providing a standardised method for writing out records of activity to a file (or data set to use a z/OS term). SMF provides full "instrumentation" of all baseline activities running on that IBM mainframe operating system, including I/O, network activity, software usage, error conditions, processor utilization, etc.

ACF2 is a commercial, discretionary access control software security system developed for the MVS, VSE and VM IBM mainframe operating systems by SKK, Inc. Barry Schrager, Eberhard Klemens, and Scott Krueger combined to develop ACF2 at London Life Insurance in London, Ontario in 1978. The "2" was added to the ACF2 name by Cambridge Systems to differentiate it from the prototype, which was developed by Schrager and Klemens at the University of Illinois—the prototype name was ACF. The "2" also helped to distinguish the product from IBM's ACF/VTAM.

A user exit is a subroutine invoked by a software package for a predefined event in the execution of the package. In some cases the exit is specified by the installation when configuring the package while in other cases the users of the package can substitute their own subroutines in place of the default ones provided by the package vendor to provide customized functionality. In some cases security controls restrict exits to authorized users, e.g., EXCP appendages in MVS.

<span class="mw-page-title-main">Linoma Software</span>

Linoma Software was a developer of secure managed file transfer and IBM i software solutions. The company was acquired by HelpSystems in June 2016. Mid-sized companies, large enterprises and government entities use Linoma's software products to protect sensitive data and comply with data security regulations such as PCI DSS, HIPAA/HITECH, SOX, GLBA and state privacy laws. Linoma's software runs on a variety of platforms including Windows, Linux, UNIX, IBM i, AIX, Solaris, HP-UX and Mac OS X.

Linux on IBM Z or Linux on zSystems is the collective term for the Linux operating system compiled to run on IBM mainframes, especially IBM Z / IBM zSystems and IBM LinuxONE servers. Similar terms which imply the same meaning are Linux/390, Linux/390x, etc. The three Linux distributions certified for usage on the IBM Z hardware platform are Red Hat Enterprise Linux, SUSE Linux Enterprise Server, and Ubuntu.

ERP Security is a wide range of measures aimed at protecting Enterprise resource planning (ERP) systems from illicit access ensuring accessibility and integrity of system data. ERP system is a computer software that serves to unify the information intended to manage the organization including Production, Supply Chain Management, Financial Management, Human Resource Management, Customer Relationship Management, Enterprise Performance Management.

References

1 2 "IBM RACF". IBM . Retrieved August 17, 2012.
↑ "z/OS Security Server (RACF)". www.ibm.com. 2015-07-02. Retrieved 2021-08-06.
1 2 Ori Pomerantz (2008). Mainframe basics for security professionals: getting started with RACF. Upper Saddle River, NJ: IBM Press. ISBN 978-0-13-173856-0. OCLC 213380831.
↑ "Internet sources". www.ibm.com. 2013-09-28. Retrieved 2021-08-06.
↑ "LISTSERV - LISTSERV Archives - LISTSERV.UGA.EDU". listserv.uga.edu. Retrieved 2021-08-06.
↑ "IBM RACF - The History of RACF" . Retrieved August 17, 2012.
↑ Jeffrey Yost, "The Origin and Early History of the Computer Security Software Products Industry," IEEE Annals of the History of Computing 37 no. 2 (2015): 46-58 doi

External links

This computer security article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[IBMRACF-1] 1 2 "IBM RACF". IBM . Retrieved August 17, 2012.

[2] "z/OS Security Server (RACF)". www.ibm.com. 2015-07-02. Retrieved 2021-08-06.

[:0-3] 1 2 Ori Pomerantz (2008). Mainframe basics for security professionals: getting started with RACF. Upper Saddle River, NJ: IBM Press. ISBN 978-0-13-173856-0. OCLC 213380831.

[4] "Internet sources". www.ibm.com. 2013-09-28. Retrieved 2021-08-06.

[5] "LISTSERV - LISTSERV Archives - LISTSERV.UGA.EDU". listserv.uga.edu. Retrieved 2021-08-06.

[6] "IBM RACF - The History of RACF" . Retrieved August 17, 2012.

[7] Jeffrey Yost, "The Origin and Early History of the Computer Security Software Products Industry," IEEE Annals of the History of Computing 37 no. 2 (2015): 46-58 doi

[1]

[2]

[3]

[4]

[5]

[6]

[7]

v t e Authentication
Authentication APIs	BSD Authentication (BSD Auth) eAuthentication (eAuth) Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)
Authentication protocols	ACF2 Authentication and Key Agreement (AKA) CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) IndieAuth Kerberos LAN Manager NT LAN Manager (NTLM) OAuth OpenID OpenID Connect (OIDC) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam
Category Commons