Check out the eserver/zseries/zos/racf/ directory on the z/OS FTP Server for the very useful sample utilities shown below. Please note that the IBM Support Center does not provide support for any of these programs. Please direct all questions and reports of problems to RACF-L
- BPXCHECK, a REXX program which reports on RACF settings related to the assignment of z/OS UNIX UIDs and GIDs (for example, AIM stage, BPX.DEFAULT.USER, BPX.NEXT.USER, BPX.UNIQUE.USER, SHARED.IDS, etc).
- CDT2DYN, a utility to help change installation-defined RACF classes into dynamic classes.
- CUTPWHIS, a utility which removes non-usable passwords from the RACF password history. Non-usable passwords are created when the password history (SETROPTS PASSWORD(HISTORY(xxx)) value is reduced.
- DBSYNC, a utility which compares two RACF databases and creates the commands to make them similar. Can also assist in merging RACF databases from different systems.
- DBU2MSXL, a set of scripts which loads the output of the RACF Database Unload Utility (IRRDBU00) into Microsoft® Excel spreadsheet.
- DBU2MSAC, a set of scripts which loads the output of the RACF Database Unload Utility (IRRDBU00) into Microsoft Access.
- ICHDEX01_DESonly, an ICHDEX01 encryption exit tkat eliminates the use of the RACF masking algorithm for releases of z/OS prior to z/OS V2.2. On z/OS V2.2, masked passwords are not honored.
- IRRHFSU, a utility which unloads the UNIX System Services Hierarchical File System file security information in a manner compatible with with IRRDBU00.
- IRRXUTIL, a set of sample REXX programs which illustrate the power of IRRXUTIL, the new REXX interface to the R_admin callable service. IRRXUTIL allows you to extract profile and SETROPTS information from the RACF database using the REXX programming language.
- KMIGRATE, a tool for migrating existing DCE and MVS users to a Kerberos registry managed ay an OS/390 or z/OS Network Authentication Service server.
- LISTCDT, a tool which analyzes and reports on your RACF Class Descriptor Table (CDT).
- PKISERV, a sample web application that uses RACF's digital certificate support to enable clients to create and retrieve certificates using a web browser. Requires OS/390 V2R10 with supporting PTFs.
- PWDCOPY, a utility which copies passwords from one RACF database to another RACF database.
- PWDPHRONLY, an ICHRIX02 exit which forces users to logon on with password phrases.
- RAC, an z/OS UNIX System Services utility which allows RACF commands to be executed from a z/OS UNIX environment and writes the output to stdout. Note that this utility uses existing command authorization along with authorization to a FACILITY class resource.
- RACFDB2, a utility which helps you migrate your DB2 access control from DB2 to RACF.
- RACFICE2, a set of sample ICETOOL-based reports which find all of the digital certificates in the RACF database which are set to expire in "n" days, count the RACF events by hour, list all of the members of a UNIVERSAL group, and show the value of selected fields in the ICB.
- RACKILL, a utility which unconditionally deletes profiles from the RACF database.
- RACSEQ, a TSO command written in assembler which demonstrates the use of the extract (profile and SETROPTS) functions of the R_admin callable service (IRRSEQ00).
- REXXPWEXIT, a sample new password exit which uses System REXX to call an exec in which password quality rules are coded.
Note: If you use ftp to transfer the files associated with the tools above, please be careful to have the proper ftp mode set. For example, any of the tools which are packaged in TSO TRANSMIT format must be transferred in binary format.
Before files in TSO TRANSMIT format can be 'reconstituted' on an MVS system, the TSO TRANSMIT file must be placed in an MVS data set with a fixed length of 80. This can be done with ftp as long as you set the output file characteristics with one of the ftp commands below (depending upon your ftp client):
- SITE LRECL=80
- LOCSITE LRECL=80
- LITERAL SITE LRECL=80
- QUOTE SITE LRECL=80
In addition, IBM's International Technical Support Organization is making its popular RACTRACE package available. RACTRACE helps you answer security-related questions by allowing you to trace calls made to RACF through MVS's System Authorization Facility (SAF) interface.
If you are running z/OS Release 2 to higher, you also have the RACF SAF Trace function available. For more information on SAF Trace, please see the Security Server RACF Diagnosis Guide (GA22-7689).
Please note that the most current version of RACFICE, a powerful DFSORT ICETOOL application which analyzes the output from the RACF Database Unload Utility and RACF SMF Data Unload Utility, is available in 'SYS1.SAMPLIB(IRRICE)'.
This page was last updated October 2016.