RACF Remote Sharing Facility
The RACF Remote Sharing facility (referred to as RRSF) is a RACF feature that interconnects multiple RACF systems over SNA and APPC/MVS connections. The interconnection between RACF systems enables the site to synchronize RACF repositories between different z/OS images. The synchronization is achieved by RACF shipping the following over RRSF connections:
-
RACF commands issued in one RACF system.
-
RACF application updates performed in one RACF system.
-
Password synchronization between predefined user associations between RACF systems.
-
Automatic password synchronization for the same user on various RACF systems.
The following terms are used in the discussion that follows:
-
managed system (or node) – a RACF system where full management by Connector for RACF is implemented and Connector for RACF communicates with IdentityIQ.
-
non-managed system (or node) – a RACF system where full management by Connector for RACF is not implemented.
The following diagram depicts the setup of two RACF systems, RACFN1 and RACFN2. Each system is connected via RRSF to the third system RACFM. This setup is representative of many non-managed RACF systems (nodes), such as RACFN1 and RACFN2. These multiple non-managed RACF nodes have each an RRSF connection to one managed RACF node.
Direct RRSF connections in between non-managed RACF nodes are possible and most likely exist; however, such connections are not included in the scope of this guide.
In the previous example, some RACF events on non-managed nodes are synchronized with RACF on the managed node and are consequently intercepted by Connector for RACF on the managed node.
However, a problem exists with this setup, related to RRSF automatic password synchronization for a given user on various RACF systems. When a user initiates a password change on a non-managed system (called the origin non-managed node), RACF ships the password change event to the managed node (called the target managed node). This password change is applied to the RACF repository on the target managed-node. However, the password change does not drive the Connector for RACF exits which are part of Connector for RACF interception mechanism. As a result, the password change is not forwarded to IdentityIQ and the new password is not propagated to other systems managed by the Connector for RACF.
The Connector for RACF RRSF feature overcomes this problem and enables a single managed RACF node to intercept user-initiated password changes incoming over RRSF from multiple non-managed RACF nodes.
All other events automatically synchronized by RRSF drive native Connector for RACF interception exits on managed node; thus the RRSF feature for user-initiated password changes complements the ability of a single fully-operational Connector for RACF installation to manage an entire RRSF complex of multiple RACF systems.