When hundreds and some times thousands of security validations occur every minute on the mainframe, performance and availability are paramount. In this session the presenter shows some different techniques that when implemented can help improve RACF performance, so that it does not become the source of your performance problems.
2. Agenda
Conclusion
Summary of what
was discussed and
key points to
remember
Questions
Ask away any
questions that you
may have!
Things to Consider
Other things that you may
consider when improving
RACF performance and
security
Improve Performance
Technical description of ways
to improve performance in
RACF
Performance
What is performance and
areas that can help to
improve performance in
RACF
ABOUT ME
Brief description
about the presenter
3. Who Am I?
RUI MIGUEL FEIO
• Working with RSM since 2010
• Working with mainframes for the past 17 years
• Started with IBM as an MVS Sys Programmer
• Specialises in mainframe security
• Experience in other platforms
Key facts:
SENIOR TECHNICAL LEAD
9. Global Access Table (GAT)
Improve performance:
• Include “public” resources
• Reduced number of entries to minimise time spent
checking the GAT
• Deactivate GAT checking in no GAT entries for a
specific class
Bear in mind:
• Access granted via the GAT isn’t logged
• An entry in the GAT supersedes any corresponding
RACF resource profiles
• Define equivalent profiles in RACF classes in case GAT
becomes unavailable
10. RACLIST
Improve performance:
• RACLIST every RACF class you can
• Alternatively use RACGLIST and GENLIST:
• With GENLIST, RACF information is copied into real storage
(ECSA)
• GENLIST works best with frequently accessed profiles
• RACGLIST reduces IPL time in a data sharing environment
Bear in mind:
• RACLIST copies RACF information into virtual space
• Don’t refresh in-storage data too often
• RACLIST and GENLIST can’t be used together
• In most sites use of RACLIST is sufficient
11. SETROPTS
• Applies to discrete non-RACLISTed profiles
• Produces statistics of little value
• Disable this by issuing SETROPTS NOSTATISTICS(*)
STATISTICS(class_name)
• Don’t audit frequent, unimportant events
• Don’t use AUDIT(SUCCESS) on APPL profiles
• Use dataset profiles’ AUDIT option instead of AUDIT(DATASET)
• Don’t use LOGOPTIONS(ALWAYS) for frequently used RACF
classes
AUDIT(class_name) & LOGOPTIONS(option)
12. SETROPTS
• Avoid using ERASE(ALL)
• With modern DASD, DASD does the work and no CPU or I/O is
involved which means the impact is minimum but…
• Check this option with your Storage team
ERASE(option)
• To avoid producing excessive SMF records that may affect
system performance, some sites opt for NOOPERAUDIT
• If using System or Group wide OPERATIONS then OPERAUDIT
should be enabled
• Replace OPERATIONS by equivalent Storage Administration
OPERAUDIT
16. System
• Enqueue Residence Value
• Increase ERV in IEAOPTxx
• Grants more CPU to any process
with an enqueue on RACF
• The default value is 500
• Recommended value is in the
range of 40,000 to 50,000
• This will optimise performance to
any enqueues to system
resources
• Speak with Sys Progs team
ERV
Data
Blocks
z/OS
17. System
• Couple Facility
• RACF DBs shared in a Sysplex can
benefit from CF caching
• Index and data blocks will be
stored in the CF
• Can use CF even for a stand-alone
non-sysplex system
• Ensure CF cache is large enough
to hold all non-RACLISTed profiles
• Speak with Sys Progs team
CF
Data
Blocks
z/OS
26. RACF Security team
Tools
Use tools that will help with
the security role (e.g IBM
zSecure, Vanguard)
Collaborate
Collaborate with other
mainframe teams.
Consider sharing ideas
with teams of other
companies
Education
Keep up-to-date with
what’s happening in the
mainframe realm
RACF DB
Maintain RACF DB; remove
redundant profiles, userids,
groups and Classes.
Group Tree
Review and remediate
RACF group tree
structure (e.g. RBAC)
Processes
Implement adequate
security processes and
procedures
RACF Team
30. In Conclusion…
Strategy
Define a strategy with the other teams on how
to improve the systems, processes and
procedures
Measures & Targets
To evaluate performance
improvement you need to be able
to measure and compare.
Performance Analysis
Performance team needs to get
involved to help with the
performance improvement
Assessment
Optimising RACF is not only a systems
task; it is also a team effort. Assess who
needs to be involved and what will need
changing.
Objectives
The objective of improving performance
needs to be take in consideration other
aspects such as cost, effort, etc.
Strategic Initiatives
In a world evermore dependent on
the technology, performance and
security must go hand-in-hand.
Strategy Map
Once a strategy is defined, a ”map”
must be made available to all parts
to allow full implementation.
Evaluation
Evaluate the impact of changes in
terms of performance and security
and remediate accordingly if required.