This document covers the following topics:
Notes:
This section describes the steps for installing EntireX Security for Broker kernel under z/OS. The installation procedure has the following steps:
To modify the Broker attribute file
Insert the following parameter in the section
DEFAULTS=BROKER of the Broker attribute file:
SECURITY=YES
Modify the DEFAULTS=SECURITY section of the Broker attribute file according to your requirements. These parameters are used to determine whether you will use SAF Security or LDAP-based Authentication. See Security-specific Attributes. If you are using LDAP-based authentication, authorization checks are not available to you.
Note:
Setting SECURITY=YES will load the provided LOAD module
USRSEC from the EXXvrs.LOAD library. This module
will perform privileged operations, such as execute the RACROUTE, requiring APF
authorization.
EntireX Security performs checks against user profiles and resource profiles represented in RACF, CA ACF2, and CA Top Secret.
For services supporting Natural RPC or other applications that use RPC, you can perform authorization checks on the client by defining the "per service" attribute CLIENT-RPC-AUTHORIZATION=YES in the Broker attribute file. Setting this parameter to YES will cause the RPC library and program names to be appended to the profile associated with the authorization check. The resource profile would then appear as follows:
Class.server.service.rpc-library.rpc-program
If the total length of the resource profile exceeds 80 bytes, increase the parameter MAX-SAF-PROF-LEN.
This check applies only to the client and not the server. CLIENT-RPC-AUTHORIZATION=YES should not be set for any services which do not utilize RPC protocol.
Note:
Natural Security performs its resource authorization checks as
follows:<prefix-character>.rpc-library.rpc-program
To
allow conformity with Natural Security, the
CLIENT-RPC-AUTHORIZATION
parameter can optionally be defined with a prefix character as follows:
CLIENT-RPC-AUTHORIZATION=(YES,<prefix-character>).
If you use the trusted user ID option, set the parameter TRUSTED-USERID=YES in the DEFAULTS=SECURITY section of the attribute file.
The trusted user ID feature automatically acquires the identity of the logged-on user or batch job. It must therefore only be used with TP monitors running under the control of RACF, CA ACF2 or CA Top Secret. Batch jobs must run under an identifiable user ID, as inherited by the job submitter, scheduler, or other means.
Applications using the trusted user ID feature must execute under z/OS and on the same machine, or another z/OS machine connected to Broker through Entire Net-Work. Communication is through the Adabas SVC mechanism.
Applications must not assign a password to the ACI control block if they intend to use trusted user ID. This applies to all applications, including EntireX RPC Server and EntireX Broker Services (Attach Services). If the application cannot avoid supplying a password, it is permissible to assign a password value of NOPASSWORD, as required by the Broker Services SDL file.
EntireX Security trusted user ID functionality is relevant only for determining the z/OS user ID associated with applications executing on z/OS which communicate with EntireX Broker or Broker Services, which are also executing on z/OS via the Adabas SVC mechanism. It cannot be used in configurations which include application components executing on separate, non-z/OS computers that communicate with EntireX Broker or Broker Services through Entire Net-Work. Such configurations invalidate the usage of trusted user ID.
The SVCSAF module is supplied with EntireX. The resulting Adabas SVC must be linked into an APF authorized library, for example:
//*------------------------------------------------------- //* CREATE A NEW ADASVC MODULE THAT INCLUDES SVCSAF MODULE //*------------------------------------------------------- //LNKSVC EXEC PGM=IEWL,PARM='XREF,LIST,LET,NCAL,RENT,REUS' //SYSPRINT DD SYSOUT=* //SYSUT1 DD SPACE=(CYL,(1,1)),UNIT=VIO //WALLIB DD DISP=SHR,DSN=WALvrs.LOAD ADASVC and SVCSAF //SYSLMOD DD DISP=SHR,DSN=WALvrs.NEW.LOAD NEW ADASVC OUTPUT //SYSLIN DD * MODE AMODE(31),RMODE(24) INCLUDE WALLIB(ADASVC) SETCODE AC(1) INCLUDE WALLIB(SVCSAF) NAME ADASVC(R) /* //*
Implementing the SAF trusted user ID option in EntireX Security under CICS TS version 1.2 and above requires the installation of the Adabas task related user exit (ADATRUE) and setting either the ADAGSET or LGBLSET (depending upon the Adabas version) parameter SAF=YES. Please see the section entitled Installing (Adabas) Cross-Memory Services under TP Monitors for complete details on installing ADATRUE. Samples of the ADAGSET and LGBLSET parameter modules can be found in the library WALvrs.SRCE.
For additional supporting information, please refer to the Installation Procedure section of the Adabas Installation Manual.
To build language-specific messages
Copy the template message module EXXvrs.SRCE(NA2MSG0) to another member - for example, EXXvrs.SRCE(NA2MSG9) - and then modify the message texts to suit your own language requirements.
Note:
NA2MSG0, NA2MSG1, and NA2MSG2 are reserved names.
Assemble and link your modified source module using the sample JCL EXXvrs.SRCE(SAGJ106), ensuring that you create a unique load module in the EXXvrs.LOAD library.
Modify the ERRTXT-MODULE parameter in the DEFAULTS=SECURITY section of the attribute file to reflect the name of your unique load module.
The Broker must be restarted to pick up changes to the Broker attribute file and to initialize Broker kernel under z/OS to perform security checks.
Basic installation of EntireX Security for Broker kernel is now complete.
This section describes the steps for installing EntireX Security for Broker stub under z/OS. The installation consists of the following steps:
Notes:
These steps are not required if you are running your application(s) at ACI version 8.
The SAFCFG configuration module is required for applications running on z/OS using ACI version 7 or below.
To assemble the SAFCFG configuration module
Run job WAL&vrs..JOBS(SAFI010), which assembles and links SAFCFG (load module).
Note:
This module comes with preconfigured defaults. See source module
WAL&vrs..SRCE(SAFCFG). If encryption is required, set the macro assembly
parameter as follows: BKPRIV=1.
For applications running on z/OS using ACI 7 or below, the Broker stub security component must be linked with the following stubs: BROKER, CICSETB, NATETB23, COMETB, MPPETB.
To link the Broker stub security component
Relink all applications that contain ACI stub modules BROKER, CICSETB, NATETB23, COMETB, or MPPETB to include the following modules:
NA2PETS Broker security stub logic module
SAFCFG System parameter module
Location of sample INCLUDE statements: EXX&vrs..JOBS(SAGJ109).
Note:
These components are needed for backwards compatibility if your
applications issue any commands using ACI version 7 or below. Applications
using ACI version 8 do not require these additional components in the stubs.
For ACI version 7 or below, these components must be added to the stub
environment utilized by the application, regardless of whether you are using
Trusted User ID facility, or using the
Relay Manager to
communicate with the Broker kernel. Failure to link these components along with
the stub when using ACI version 1 though 7 can result in message "SEFM225
MESSAGE FROM BACK LEVEL STUB" being issued by Broker kernel.
SECUEXIT must be made available for applications running on z/OS using ACI version 7 or below with stub BKIMBTSO or CICSETB2.
To make SECUEXIT available
Rename SECUEXI0 to SECUEXIT in library EXX&vrs..LOAD so that it is available to applications running the IBM C stub.
Ensure that SECUEXIT is available in EXX&vrs..LOAD for all applications utilizing BKIMBTSO or CICSETB2.
Notes:
Installation of EntireX Security for Broker stubs is now complete. Now you can install the security components for the Broker stubs on the remaining operating systems where your application components are located.
