Home > E3270UI, ITM, Mainframe > Securing the Enhanced 3270 User Interface with RACF and OB 700 IF1

Securing the Enhanced 3270 User Interface with RACF and OB 700 IF1

In this post I talked about securing the enhanced 3270 User Interface with RACF

Since then a new level of the base code (FMID HKOB700) called Interim Feature One (IF1) has arrived in the form of PTF UA69877. But before you go off and apply that, don’t! Instead apply UA70618 which fixes some issues with the original code that may impact certain users.

In the hold doc (you do read all the hold doc don’t you!) for UA70618 are instructions on setting up new RACF profiles that may be needed if you are using security to protect the Enhanced 3270 User Interface environment. These are the new resources being checked:

KOBUI.USER.COMMAND.<command_name>                               
KOBUI.ADMIN.PREFS.AUTOUPDATE                                    
KOBUI.ADMIN.LISTUSERS                                           
KOBUI.ADMIN.TRACE.UI.<trace_type>                               
KOBUI.ADMIN.TRACE.INTERNAL.<trace_type>                         
KOBUI.ADMIN.USEHUB.<hub_name>                                   
KOBUI.ADMIN.MEMBER.WRITE.<dd_name>.<member_name>                
KOBUI.ADMIN.ITM.<hub_name>.SERVICEINDEX                         
KOBUI.ADMIN.ITM.<hub_name>.<servicepoint_name>.SERVICECONSOLE   
KOBUI.ADMIN.ITM.<hub_name>.<servicepoint_name>.SOAPCONSOLE      
SYSTEM.<managed_system_name>.<table_name>

You could protect these with the following RACF profiles:

PERMIT KOBUI.USER.** 
PERMIT KOBUI.ADMIN.**
PERMIT SYSTEM.**

Recently I came across a problem where a customer needed additional RACF profiles setting up  in order to log on to the Enhanced 3270 UI. These are:

KOBASE.**
O4SRV.**

The easiest way to add these would be with a UACC or READ but your installation standards may require a different implementation. I believe a tech note will be forthcoming on the issue soon.

This particular user had a default profile of * in the RACF class with a UACC of NONE so anything that was not specifically permitted was rejected. If you do not have such a profile in the RACF class used by the Enhanced 3270 UI then the default action is to allow the request if a profile does not exist which basically allows anyone to do anything unless you specifically lock it down. That approach results in the least amount of work to secure the Enhanced 3270 UI environment.

About these ads
Categories: E3270UI, ITM, Mainframe Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: