This document describes the Adabas SAF Security configuration parameters.
Caution:
Because of the sensitivity of SAF security, the ability to change
the configuration module or the DDSAF dataset must be tightly controlled by the
external security system.
This section describes the site-dependent parameters which are used by Adabas SAF Security. These parameters are specified using an assembled configuration module SAFCFG. SAFCFG is supplied as part of the SAF Security Kernel on the Adabas limited (WAL) libraries.
Note:
The default value for each Adabas SAF Security parameter is
underlined in the parameter syntax
definition.
AAFCMD: Protection Level for AAFCMD operations and reporting
ADASCR: Use Logon ID of Security Package as Adabas Security Password
ALLFILES: Clients Have Same Permissions for All Files in a Database
DBAUDIT: Database Audit Logging for Adabas Security Violations
DBFLEN: Format of Database ID and File Number in Resource Profiles
FILETAB: Name of Load Module Containing Grouped Resource Names
HOLDCMD: Access Requirement For Commands Which Place Records On Hold
NWNCU: Number of Database Checks to be Buffered per Cross-Level User
NWUNI: Allow Access to Undefined Adabas Resources for Cross-Level Checking
WTOCASE: Mixed or Upper Level Case for ADASAF Prefix Messages
Parameter | Description | Syntax |
---|---|---|
AAFCMD |
Level of protection for the AAFCMD operations and reporting tool Protection levels are:
When enabled, resource names are the same as when protecting SYSAAF Online Services using a System Coordinator daemon Note: |
AAFCMD={0| 1 } |
Parameter | Description | Syntax |
---|---|---|
AAFPRFX |
Enter a 1 to 8 character prefix which will be used as the first element of any resource profile names checked by Adabas SAF Security. For example, specifying
The default is no prefix. Note: |
AAFPRFX=xxxxxxxx |
Parameter | Description | Syntax |
---|---|---|
ABS |
Level of protection for the following Online Administration Services: Protection levels are:
|
ABS={0| 1 | 2 } |
Parameter | Description | Syntax |
---|---|---|
ADASCR |
Indicates whether or not the Logon ID of the security package is to be used as the Adabas Security password.
|
ADASCR={N | Y | G } |
Parameter | Description | Syntax |
---|---|---|
ALLFILES |
Indicates whether or not client sessions have the same permissions for all files in a database:
Do not specify Note: |
ALLFILES={N | Y } |
Parameter | Description | Syntax |
---|---|---|
CIPHER |
Indicates whether or not ADASAF should extract Adabas cipher codes from RACF and apply them to the relevant Adabas commands.
|
CIPHER={N| Y } |
Parameter | Description | Syntax |
---|---|---|
DBADMIN |
The protection level applied by Adabas SAF Security when the following administration functions are performed: Protection levels are:
For
A setting of WARN may be useful to identify the required security definitions without
impacting the execution of administration requests during the
|
DBADMIN={N|(Y, NOFILE|FILE, WARN|FAIL)} |
Parameter | Description | Syntax |
---|---|---|
DBAUDIT |
Indicates whether or not to perform nucleus audit logging for Adabas Security violations:
See also the section Nucleus Audit Logging for Adabas Security Violations. |
DBAUDIT={N|Y} |
Parameter | Description | Syntax |
---|---|---|
DBCLASS |
The name of the resource class name for use in authorization checks performed by Adabas SAF Security for: The name can be up to eight alphanumeric characters and
the supplied default is Notes on the use of
|
DBCLASS={ name | (name,FASTAUTH) } |
Parameter | Description | Syntax |
---|---|---|
DBFLEN |
The format of the Database ID and file number in resource profiles:
The default value is recommended to simplify reporting and
maintenance of security profiles; to allow for the large Database IDs and file
numbers introduced with Adabas version 6; and to allow for
|
DBFLEN={ 0 |1| 2 } |
Parameter | Description | Syntax |
---|---|---|
DBNCU |
The number of database checks to be buffered per user, in
the cache defined by |
DBNCU=0 |
Parameter | Description | Syntax |
---|---|---|
DBUNI |
Indicates whether or not access to undefined Adabas resources should be allowed. The normal mode of operation is to prevent access to resources not defined to the security system. Profiles representing Adabas resources are added to the security repository with either a default access or by granting access to specific users and groups.
Note: Note: |
DBUNI={N| Y } |
Parameter | Description | Syntax |
---|---|---|
DELIM |
Use of delimiter when defining an entity name.
|
DELIM={ N | Y} |
Parameter | Description | Syntax |
---|---|---|
ETDATA |
Indicates whether or not ADASAF should protect commands
that access or create
This parameter is only honored if fixed-length Database
IDs and file numbers are used in the resource profile names (that is, the
|
ETDATA={ N | Y } |
Parameter | Description | Syntax |
---|---|---|
FAILUTI |
Indicates the action to be taken when an Adabas utility SAF security check fails.
A setting of NO may be useful during the Adabas SAF Security implementation phase, to identify the required security definitions without impacting the execution of utility jobs. |
FAILUTI={YES | NO} |
Parameter | Description | Syntax |
---|---|---|
FILETAB |
The name of the load module containing grouped resource names for this nucleus. Grouped resource names can be used instead of database/file number when checking access to an Adabas file. The load module is created using the AAFFILE macro (see Defining Grouped Resource Names with AAFFILE and its name must be a valid load module name of up to 8 characters. The default is not to use grouped resource names. |
FILETAB=xxxxxxxx |
Parameter | Description | Syntax |
---|---|---|
GROUP |
Indicates whether or not the Group ID rather than the User ID is to be used for resource authorization checking.
Note: |
GROUP={ N | Y } |
Parameter | Description | Syntax |
---|---|---|
GWMSGL |
The tracing level for security checks.
Use the parameter These traces messages will be retained for as long as the job, or the dataset to which they have been written, remains available. Deleting the job, or dataset, will delete the trace messages. For diagnostic and troubleshooting purposes, the content of the trace message includes the SAF User ID for which access was requested. |
GWMSGL={ 0 | 1 | 2 | 3 } |
Parameter | Description | Syntax |
---|---|---|
GWSIZE |
The amount of storage (in kilobytes) to be used for
caching user information related to the security system, for example checked
entity names. For optimum performance in conjunction with
|
WAL 812: GWSIZE=16 WAL 813 and above: GWSIZE=256 |
Parameter | Description | Syntax |
---|---|---|
GWSTYP |
The SAF security type.
|
GWSTYP={ 1 | 2 | 3 | 4 } |
Parameter | Description | Syntax |
---|---|---|
HOLDCMD |
Determines whether hold commands ( |
HOLDCMD={ R | U } |
Parameter | Description | Syntax |
---|---|---|
LFPROT |
Specify whether or not the
|
LFPROT={ Y | N} |
Parameter | Description | Syntax |
---|---|---|
LOGOFF |
Indicates when ADASAF should log off users from the SAF security system.
The settings Use the Adabas session statistics "Number of
users participating" and "Number of commands
executed" to decide whether If the Adabas non-activity timeout values are such that
users are frequently timed out, set |
WAL 812: LOGOFF={ ALWAYS | NEVER | TIMEOUT } WAL 813 and above: LOGOFF={ ALWAYS | NEVER | TIMEOUT } |
Parameter | Description | Syntax |
---|---|---|
MAXFILES |
The number of files for which security information is to be cached for each user. If a user accesses more than this number of files, the oldest entries will be overwritten. |
MAXFILES={ nnnn | 16 } |
Parameter | Description | Syntax |
---|---|---|
MAXPCC |
The maximum number of passwords and cipher codes to be extracted from RACF for the current Adabas nucleus. If ADASAF finds more than this number, nucleus initialization is terminated with message AAF010. |
MAXPCC={ nnnn | 16} |
Parameter | Description | Syntax |
---|---|---|
NETADMIN |
Indicates whether or not to protect Entire Net-Work administration functions:
For NETADMIN=Y only:
A setting of WARN may be useful during the NETADMIN=Y implementation phase, to identify the required security definitions without impacting the execution of administration requests. See also the section Entire Net-Work Administration Functions. |
NETADMIN={N|(Y, WARN|FAIL)} |
Parameter | Description | Syntax |
---|---|---|
Indicates whether or not calls from unsecured mainframe
clients are to be allowed. An unsecured mainframe client is a client operating
in an environment that does not provide security information via the Adabas
router. For example, a remote Lpar where the router has not been linked with
the SAF security extensions (SVCSAF) or a CICS job that is using an Adabas link
globals module that specifies
Caution: |
NOTOKEN={ N | Y } |
Parameter | Description | Syntax |
---|---|---|
NWCLASS |
The name of the resource class name for use in cross-level authorization checks performed by Adabas SAF Security for Operation in the Adabas Nucleus. The name can be up to eight alphanumeric characters and
the supplied default is Notes on the use of
|
NWCLASS={ name | (name,FASTAUTH) } |
Parameter | Description | Syntax |
---|---|---|
NWNCU |
The number of database checks to be buffered per
cross-level user, in the cache defined by |
NWNCU=0 |
Parameter | Description | Syntax |
---|---|---|
NWUNI |
Indicates whether or not access to undefined Adabas resources should be allowed for cross-level checks. The normal mode of operation is to prevent access to resources not defined to the security system. Profiles representing Adabas resources are added to the security repository with either a default access or by granting access to specific users and groups.
Note: |
NWUNI={ N | Y } |
Parameter | Description | Syntax |
---|---|---|
NWUSRW |
The User ID to be used for database cross-level security checks issued on behalf of workstation users. |
NWUSRW=WINUSER |
Parameter | Description | Syntax |
---|---|---|
PASSWORD |
Indicates whether or not ADASAF should extract Adabas passwords from RACF and apply them to the relevant Adabas commands.
|
PASSWORD={N | Y } |
Parameter | Description | Syntax |
---|---|---|
PCPROT |
Specify whether or not the
Note: |
PCPROT={ N | R | U} |
Parameter | Description | Syntax |
---|---|---|
REMOTE |
The mechanism ADASAF should use to protect calls from remote users.
|
REMOTE={ LINK | NODE | NONE | POPUP} |
Parameter | Description | Syntax |
---|---|---|
SAFPRINT |
Specify whether security check trace messages should be written to DD SAFPRINT or to DD DDPRINT.
If The SAFPRINT dataset must be defined in the nucleus JCL
and may refer to a SYSOUT dataset or to a file defined with
|
SAFPRINT={N | Y } |
Parameter | Description | Syntax |
---|---|---|
SIGNALS |
Indicates whether or not to activate the ENF Signal Listener.
Multiple values can be specified within parentheses in strictly ascending order. Note: See also the section Adabas SAF Security and ENF Signal Types 62, 71, and 79. |
SIGNALS={N} SIGNALS={62|71|79} SIGNALS={(62,71)|(62,79)|(71,79)| (62,71,79)} |
Parameter | Description | Syntax |
---|---|---|
SIGNQSZ |
Determines the number of entries in the ENF Listener Queue.
A queue full condition will trigger an internal SREST operation resulting in all cached security information being discarded and subsequently dynamically recached. The output of the Caution must be observed when sizing this parameter because oversizing may result in unnecessary processing. A balance between efficient queue processing and the number of internal SRESTs due to queue full conditions should be achieved. This parameter is only applicable when the ENF Signal
Listener is activated using the |
SIGNQSZ={32|nnn} |
Parameter | Description | Syntax |
---|---|---|
SIGNRINT |
Defines the minimum interval of time (specified in units of 5 minutes) between successive internal SREST operations when triggered due to ENF Signal conditions.
Note: Caution must be observed when setting this value because too low a value may result in an excessive number of SREST operations (reducing any potential efficiency by the caching of security information), particularly when the ENF Signal Listener has been activated for types 62 and 79. This parameter is only applicable when the ENF Signal
Listener is activated using the |
SIGNRINT={12|nnn} |
Parameter | Description | Syntax |
---|---|---|
UTI |
Indicates the level of protection for Adabas Utilities:
See also the section Utility Start-up. |
UTI={1|2|3} |
Parameter | Description | Syntax |
---|---|---|
WTOCASE |
The AAF prefix messages issued by ADASAF may be written in mixed or upper case. For compatibility with previous versions, the default is upper case.
|
WTOCASE={ M | U } |
Parameter | Description | Syntax |
---|---|---|
XLEVEL |
The type of database cross-level security checking to be performed.
Note: |
XLEVEL={0 | 1 | 2 | 3 } |
Some SAFCFG parameters can be overridden on a nucleus-by-nucleus basis by providing them in a dataset referenced by the DD name DDSAF, thereby avoiding the need to maintain a separate parameter module for each database with different requirements.
The DDSAF dataset should be defined with record size
(LRECL
) 80 and format fixed
(RECFM=F
) or fixed-blocked
(RECFM=FB
), in which case it should have a suitable
blocksize.
Each record in DDSAF must begin in column 1, with an asterisk (*) to indicate that it is a comment, or with the parameter keyword and value and optional comments. Each parameter must be specified in a separate record.
The DDSAF dataset is only used for nucleus jobs.
The parameters that can be specified are:
AAFPRFX |
LOGOFF |
ABS |
MAXFILES |
ADASCR |
MAXPCC |
ALLFILES |
NOTOKEN |
CIPHER |
PASSWORD |
ETDATA |
PCPROT |
FAILMODE |
REMOTE |
FILETAB |
XLEVEL |
HOLDCMD |
Note:
The only valid setting for FAILMODE
is
FAILMODE=F
. This can be used to switch a nucleus running
in WARN mode into FAIL mode by modifying DDSAF and restarting ADASAF using
ADASAF Online Services (option 6) or by using the AAF
SNEWCOPY
operator command. FAILMODE=F
may
only be specified in DDSAF; if specified in the configuration module, it is
ignored.
A sample parameter file is shown below:
ADASCR=N
|
no ADASCR compatibility |
CIPHER=Y |
some cipher codes |
ETDATA=N |
no ET data protection
|
MAXFILES=20 |
maximum cached files |
MAXPC=10 |
maximum cipher codes |
PASSWORD=N |
no passwords |
XLEVEL=2 |
full cross-level checking |
This section describes the site-dependent parameters which are used by the SAF Security daemon. These parameters are specified using an assembled configuration module SAFCFG. SAFCFG is supplied as part of the SAF Security Kernel on the Adabas limited libraries.
Note:
The default value for each ADASAF parameter is underlined in the
parameter syntax definition.
Parameter | Description | Syntax |
---|---|---|
DBCLASS |
The name of the ADASAF resource class. The name can be up to eight alphanumeric characters. This class is used for protection of SYSAAF and other Natural libraries. |
DBCLASS={ name | ADASEC} |
Parameter | Description | Syntax |
---|---|---|
DBNCU |
The number of security checks to be buffered per SAF user, in the cache defined by GWSIZE. For the security service in the System Coordinator daemon, DBNCU specifies the number of SYSAAF (etc) checks to be buffered per SAF user. These buffered checks are used to avoid repeated SAF calls for a user. |
DBNCU=0 |
Parameter | Description | Syntax |
---|---|---|
DBUNI |
Indicates whether or not access to
undefined resources should be allowed. The normal mode of operation is to
prevent access to resources not defined to the security system. Profiles
representing ADASAF resources are added to the security repository with either
a default access or by granting access to specific users and groups.
Notes:
|
DBUNI={N| Y } |
Parameter | Description | Syntax |
---|---|---|
FAILMODE |
FAILMODE controls whether a security
violation is treated as "access denied" or "access
allowed".
The normal mode of operation is to disallow access for security violations. However, during initial implementation of the security service in the System Coordinator daemon it may be useful to specify FAILMODE=W and, if appropriate, DBUNI=Y so that you can review your SYSAAF (etc) security requirements progressively until you decide to then switch to full fail mode. |
FAILMODE={F | W} |
Parameter | Description | Syntax |
---|---|---|
GWMSGL |
The tracing level for daemon security
checks.
For easier problem diagnosis and auditing, trace messages include a time stamp and the name of the job that requested the security check. Trace information is also accumulated in the System Coordinator trace facility, if active. |
GWMSGL={ 0 | 1 | 2 | 3 } |
Parameter | Description | Syntax |
---|---|---|
GWSIZE |
The amount of storage (in kilobytes) to be used for caching user information related to the security system, for example checked entity names. For optimum performance of the security service in the System Coordinator daemon set GWSIZE large enough so the number of Active SAF User overwrites is not excessive. |
GWSIZE=256 |
Parameter | Description | Syntax |
---|---|---|
GWSTYP |
The SAF security type.
|
GWSTYP={ 1 | 2 | 3 | 4 } |
Parameter | Description | Syntax |
---|---|---|
SAFPRINT |
Specify whether security check trace
messages should be written to DD SAFPRINT or to DD DDPRINT.
If SAFPRINT=Y
is specified, but a SAFPRINT dataset is not provided, the trace messages will
be written to DDPRINT.The SAFPRINT dataset must be defined in the daemon JCL and may refer to a SYSOUT dataset or to a file defined with RECFM=F (or FB ) and LRECL=121 .
|
SAFPRINT={N | Y } |