This document describes the Adabas SAF Security configuration parameters.
Caution:
Because of the sensitivity of SAF security, the ability to change
the configuration module or the DDSAF dataset must be tightly controlled by the
external security system.
This section describes the site-dependent parameters which are used by ADASAF when operating in an Adabas nucleus or utility. These parameters are specified using an assembled configuration module SAFCFG. SAFCFG is supplied as part of the SAF Security Kernel on the Adabas limited libraries.
Note:
The default value for each ADASAF parameter is underlined in the
parameter syntax definition.
ADASCR: Use Logon ID of Security Package as Adabas Security Password
DBFLEN: Format of Database ID and File Number in Resource Profiles
FILETAB: Name of Load Module Containing Grouped Resource Names
HOLDCMD: Access Requirement For Commands Which Place Records On Hold
NWNCU: Number of Database Checks to be Buffered per Cross-Level User
NWUNI: Allow Access to Undefined Adabas Resources for Cross-Level Checking
WTOCASE: Mixed or Upper Level Case for ADASAF Prefix Messages
Parameter | Description | Syntax |
---|---|---|
AAFPRFX |
Enter a 1 to 8 character prefix which will be used as the first element of any resource profile names checked by Adabas SAF Security. For example, specifying
The default is no prefix. Note: |
AAFPRFX=xxxxxxxx |
Parameter | Description | Syntax |
---|---|---|
ABS |
Level of protection for Adabas Basic Services:
See also the section Adabas Basic Services. |
ABS={0| 1 | 2 } |
Parameter | Description | Syntax |
---|---|---|
ADASCR |
Indicates whether or not the Logon ID of the security package is to be used as the Adabas Security password.
|
ADASCR={N | Y | G } |
Parameter | Description | Syntax |
---|---|---|
CIPHER |
Indicates whether or not ADASAF should extract Adabas cipher codes from RACF and apply them to the relevant Adabas commands.
|
CIPHER={N| Y } |
Parameter | Description | Syntax |
---|---|---|
DBCLASS |
The name of the ADASAF database resource class name. The name can be up to eight alphanumeric characters. |
DBCLASS={ name | ADASEC} |
Parameter | Description | Syntax |
---|---|---|
DBFLEN |
The format of the Database ID and file number in resource profiles:
The default value is recommended to simplify reporting and
maintenance of security profiles; to allow for the large Database IDs and file
numbers introduced with Adabas version 6; and to allow for
|
DBFLEN={ 0 |1| 2 } |
Parameter | Description | Syntax |
---|---|---|
DBNCU |
The number of database checks to be buffered per user, in the cache
defined by |
DBNCU=0 |
Parameter | Description | Syntax |
---|---|---|
DBUNI |
Indicates whether or not access to undefined Adabas resources should be allowed. The normal mode of operation is to prevent access to resources not defined to the security system. Profiles representing Adabas resources are added to the security repository with either a default access or by granting access to specific users and groups.
Note: Note: |
DBUNI={N| Y } |
Parameter | Description | Syntax |
---|---|---|
DELIM |
Use of delimiter when defining an entity name.
|
DELIM={ N | Y} |
Parameter | Description | Syntax |
---|---|---|
ETDATA |
Indicates whether or not ADASAF should protect commands that access
or create
This parameter is only honored if fixed-length Database IDs and
file numbers are used in the resource profile names (that is, the
|
ETDATA={ N | Y } |
Parameter | Description | Syntax |
---|---|---|
FILETAB |
The name of the load module containing grouped resource names for this nucleus. Grouped resource names can be used instead of database/file number when checking access to an Adabas file. The load module is created using the AAFFILE macro (see Defining Grouped Resource Names with AAFFILE in the section Accessing and Changing Database Data) and its name must be a valid load module name of up to 8 characters. The default is not to use grouped resource names. |
FILETAB=xxxxxxxx |
Parameter | Description | Syntax |
---|---|---|
GROUP |
Indicates whether or not the Group ID rather than the User ID is to be used for resource authorization checking.
|
GROUP={ N | Y } |
Parameter | Description | Syntax |
---|---|---|
GWMSGL |
The tracing level for database security checks.
For easier problem diagnosis and auditing, trace messages include a time stamp and the name of the job that issued the Adabas call. Trace information is also accumulated in the System Coordinator trace facility, if active. |
GWMSGL={ 0 | 1 | 2 | 3 } |
Parameter | Description | Syntax |
---|---|---|
GWSIZE |
The amount of storage (in kilobytes) to be used for caching user
information related to the security system, for example checked entity names.
For optimum performance in conjunction with
|
WAL 812: GWSIZE=16 WAL 813 and above: GWSIZE=256 |
Parameter | Description | Syntax |
---|---|---|
GWSTYP |
The SAF security type.
|
GWSTYP={ 1 | 2 | 3 | 4 } |
Parameter | Description | Syntax |
---|---|---|
HOLDCMD |
Determines whether hold commands ( |
HOLDCMD={ R | U } |
Parameter | Description | Syntax |
---|---|---|
LFPROT |
Specify whether or not the
|
LFPROT={ Y | N} |
Parameter | Description | Syntax |
---|---|---|
LOGOFF |
Indicates when ADASAF should log off users from the SAF security system.
The settings Use the Adabas session statistics "Number of users
participating" and "Number of commands
executed" to decide whether If the Adabas non-activity timeout values are such that users are
frequently timed out, set |
WAL 812: LOGOFF={ ALWAYS | NEVER | TIMEOUT } WAL 813 and above: LOGOFF={ ALWAYS | NEVER | TIMEOUT } |
Parameter | Description | Syntax |
---|---|---|
MAXFILES |
The number of files for which security information is to be cached for each user. If a user accesses more than this number of files, the oldest entries will be overwritten. |
MAXFILES={ nnnn | 16 } |
Parameter | Description | Syntax |
---|---|---|
MAXPCC |
The maximum number of passwords and cipher codes to be extracted from RACF for the current Adabas nucleus. If ADASAF finds more than this number, nucleus initialization is terminated with message AAF010. |
MAXPCC={ nnnn | 16} |
Parameter | Description | Syntax |
---|---|---|
Indicates whether or not calls from unsecured mainframe clients are
to be allowed. An unsecured mainframe client is a client operating in an
environment that does not provide security information via the Adabas router.
For example, a remote Lpar where the router has not been linked with the SAF
security extensions (SVCSAF) or a CICS job that is using an Adabas link globals
module that specifies
Caution: |
NOTOKEN={ N | Y } |
Parameter | Description | Syntax |
---|---|---|
NWCLASS |
The name of the ADASAF database resource class name for use in cross-level checks. The name can be up to eight alphanumeric characters. |
NWCLASS={ name | ADASEC} |
Parameter | Description | Syntax |
---|---|---|
NWNCU |
The number of database checks to be buffered per cross-level user,
in the cache defined by |
NWNCU=0 |
Parameter | Description | Syntax |
---|---|---|
NWUNI |
Indicates whether or not access to undefined Adabas resources should be allowed for cross-level checks. The normal mode of operation is to prevent access to resources not defined to the security system. Profiles representing Adabas resources are added to the security repository with either a default access or by granting access to specific users and groups.
Note: |
NWUNI={ N | Y } |
Parameter | Description | Syntax |
---|---|---|
NWUSRW |
The User ID to be used for database cross-level security checks issued on behalf of workstation users. |
NWUSRW=WINUSER |
Parameter | Description | Syntax |
---|---|---|
PASSWORD |
Indicates whether or not ADASAF should extract Adabas passwords from RACF and apply them to the relevant Adabas commands.
|
PASSWORD={N | Y } |
Parameter | Description | Syntax |
---|---|---|
PCPROT |
Specify whether or not the
Note: |
PCPROT={ N | R | U} |
Parameter | Description | Syntax |
---|---|---|
REMOTE |
The mechanism ADASAF should use to protect calls from remote users.
|
REMOTE={ LINK | NODE | NONE | POPUP} |
Parameter | Description | Syntax |
---|---|---|
SAFPRINT |
Specify whether security check trace messages should be written to DD SAFPRINT or to DD DDPRINT.
If The SAFPRINT dataset must be defined in the nucleus JCL and may
refer to a SYSOUT dataset or to a file defined with
|
SAFPRINT={N | Y } |
Parameter | Description | Syntax |
---|---|---|
WTOCASE |
The AAF prefix messages issued by ADASAF may be written in mixed or upper case. For compatibility with previous versions, the default is upper case.
|
WTOCASE={ M | U } |
Parameter | Description | Syntax |
---|---|---|
XLEVEL |
The type of database cross-level security checking to be performed.
|
XLEVEL={0 | 1 | 2 | 3 } |
Some ADASAF parameters can be overridden on a nucleus-by-nucleus basis by providing them in a dataset referenced by the DD name DDSAF, thereby avoiding the need to maintain a separate parameter module for each database with different requirements.
The DDSAF dataset should be defined with record size
(LRECL
) 80 and format fixed
(RECFM=F
) or fixed-blocked
(RECFM=FB
), in which case it should have a suitable
blocksize.
Each record in DDSAF must begin in column 1, with an asterisk (*) to indicate that it is a comment, or with the parameter keyword and value and optional comments. Each parameter must be specified in a separate record.
The DDSAF dataset is only used for nucleus jobs.
The parameters that can be specified are:
AAFPRFX |
LOGOFF |
ABS |
MAXFILES |
ADASCR |
MAXPC |
CIPHER |
NOTOKEN |
ETDATA |
PASSWORD |
FAILMODE |
PCPROT |
FILETAB |
REMOTE |
HOLDCMD |
XLEVEL |
Note:
The only valid setting for FAILMODE
is
FAILMODE=F
. This can be used to switch a nucleus running
in WARN mode into FAIL mode by modifying DDSAF and restarting ADASAF using
ADASAF Online Services (option 6) or by using the AAF
SNEWCOPY
operator command. FAILMODE=F
may
only be specified in DDSAF; if specified in the configuration module, it is
ignored.
A sample parameter file is shown below:
ADASCR=N
|
no ADASCR compatibility |
CIPHER=Y |
some cipher codes |
ETDATA=N |
no ET data protection
|
MAXFILES=20 |
maximum cached files |
MAXPC=10 |
maximum cipher codes |
PASSWORD=N |
no passwords |
XLEVEL=2 |
full cross-level checking |
This section describes the site-dependent parameters which are used by the SAF Security daemon. These parameters are specified using an assembled configuration module SAFCFG. SAFCFG is supplied as part of the SAF Security Kernel on the Adabas limited libraries.
Note:
The default value for each ADASAF parameter is underlined in the
parameter syntax definition.
Parameter | Description | Syntax |
---|---|---|
DBCLASS |
The name of the ADASAF resource class. The name can be up to eight alphanumeric characters. This class is used for protection of SYSAAF and other Natural libraries. |
DBCLASS={ name | ADASEC } |
Parameter | Description | Syntax |
---|---|---|
DBNCU |
The number of security checks to be buffered per SAF user, in the cache defined by GWSIZE. For the security service in the System Coordinator daemon, DBNCU specifies the number of SYSAAF (etc) checks to be buffered per SAF user. These buffered checks are used to avoid repeated SAF calls for a user. |
DBNCU=0 |
Parameter | Description | Syntax |
---|---|---|
DBUNI |
Indicates whether or not access to undefined
resources should be allowed. The normal mode of operation is to prevent access
to resources not defined to the security system. Profiles representing ADASAF
resources are added to the security repository with either a default access or
by granting access to specific users and groups.
Notes:
|
DBUNI={N| Y } |
Parameter | Description | Syntax |
---|---|---|
FAILMODE |
FAILMODE controls whether a security violation
is treated as "access denied" or "access allowed".
The normal mode of operation is to disallow access for security violations. However, during initial implementation of the security service in the System Coordinator daemon it may be useful to specify FAILMODE=W and, if appropriate, DBUNI=Y so that you can review your SYSAAF (etc) security requirements progressively until you decide to then switch to full fail mode. |
FAILMODE={F | W} |
Parameter | Description | Syntax |
---|---|---|
GWMSGL |
The tracing level for daemon security checks.
For easier problem diagnosis and auditing, trace messages include a time stamp and the name of the job that requested the security check. Trace information is also accumulated in the System Coordinator trace facility, if active. |
GWMSGL={ 0 | 1 | 2 | 3 } |
Parameter | Description | Syntax |
---|---|---|
GWSIZE |
The amount of storage (in kilobytes) to be used for caching user information related to the security system, for example checked entity names. For optimum performance of the security service in the System Coordinator daemon set GWSIZE large enough so the number of Active SAF User overwrites is not excessive. |
GWSIZE=256 |
Parameter | Description | Syntax |
---|---|---|
GWSTYP |
The SAF security type.
|
GWSTYP={ 1 | 2 | 3 | 4 } |
Parameter | Description | Syntax |
---|---|---|
SAFPRINT |
Specify whether security check trace messages
should be written to DD SAFPRINT or to DD DDPRINT.
If SAFPRINT=Y is
specified, but a SAFPRINT dataset is not provided, the trace messages will be
written to DDPRINT.The SAFPRINT dataset must be defined in the daemon JCL and may refer to a SYSOUT dataset or to a file defined with RECFM=F (or FB ) and LRECL=121 .
|
SAFPRINT={N | Y } |