Entire Net-Work Client includes an external security interface for ADASAF support that provides access to secured Adabas resources on a z/OS host node. To secure these resources on the host node, Adabas interacts with the Adabas SAF Security Kernel (ADASAF), an Adabas add-on product. ADASAF links Adabas to the CA-ACF2, CA-Top Secret, or RACF external security packages installed on the host system. For more information about the Adabas SAF Security Kernel, refer to its documentation.
Before you can use ADASAF to access secured Adabas resources on a z/OS host, your access information (user ID and password) must be supplied to ADASAF. You can do this using one of the following methods:
In Windows environments only, you can supply your access information using the online security application and the External Security Interface Logon dialog. Read Accessing z/OS Resources Using the Online Security Application for more information.
In any environment, you can supply your access information by modifying and using a provided security exit. This method should be used where you want full control of obtaining the logon information. A sample security exit is provided in the Adabas Client libraries included with Entire Net-Work Client called lnkxsaf. For more information, read Accessing z/OS Resources Using the Security Exit.
This document covers the following topics:
To select the external security method you prefer to use, you must set some parameters in the System Management Hub. In addition, regardless of the method selected, you must set parameters that identify the Adabas SAF Security Kernel library and function that should be used for access to secured z/OS host resources.
This section describes how to specify these parameters using the System Management Hub, but you can also specify them as environment variables instead.
To set the external security method and the Adabas SAF Security Kernel parameters:
Make sure you have accessed the System Management Hub.
Select and expand Entire Net-Work Client from the list in tree-view to access the Entire Net-Work Client administration area.
Select and expand Clients from the Entire Net-Work Client sublist.
A list of machine names appears. The machines listed are computers on which clients managed by this installation of the System Management Hub are defined.
Select and expand the client machine on which the client is defined.
The client configuration section becomes available in tree-view.
Right-click on the client configuration whose parameters you want to maintain and selectfrom the resulting drop-down list.
The Set ADASAF Parameters panel appears in detail-view.
Modify the parameters on the ADASAF Parameters panel, as described in the following table. When all parameters are set as you want, click to save them.
This parameter is available for Windows systems only.
Indicate whether the external security online application should be used to supply the logon information instead of a user exit. Valid values are "YES" (use the online application) or "NO" (use a user exit). The default is "NO". If LNKADAESI is set to "YES" and a value is given in LNKADASAF, the online application is used (LNKADAESI settings override LNKADASAF).
|Specify the library and function
names of the user exit that will provide access to the secured Adabas resource
via the Adabas SAF Security Kernel (ADASAF). The library and function names
should be specified with a space between them, using the following format:
If no names are specified, ("<not defined>" is listed) and the value "lnkxsaf lnkxsaf" is used. (The lnkxsaf library is either lnkxsaf.dll or lnkxsaf.so).
|A value of "lnkxsaf lnkxsaf" is used.
The parameters are updated in the appropriate Entire Net-Work Client configuration file.
When you elect to use the online security application to access Adabas secured resources, your access information (user ID and password) must be supplied via an external security interface logon dialog. The user ID and password you specify on the logon dialog are encrypted and stored on the local node to confirm that you have logged on. They are then used by the Adabas SAF Security Kernel (ADASAF) when you attempt to use an application that accesses a secured Adabas resource. You can elect to use the external security interface online application by setting the LNKADAESI parameter (or environment variable) to "YES". For more information, read Specifying the External Security Method and Appropriate Adabas SAF Security Kernel Parameters.
This section covers the following topics:
You can access the external security interface logon dialog either manually or dynamically.
If you elect to access the logon dialog dynamically, the Adabas SAF Security Kernel will issue a response code when you first attempt to access an Adabas secured resource. When the response code is returned, it is intercepted by Entire Net-Work Client and the logon dialog appears. After supplying the logon information requested by the dialog (as explained later in this section), Entire Net-Work Client resubmits the request to the Adabas secured resource.
The user ID and password you specify on the logon dialog are encrypted and stored on the local node to confirm that you have logged on. They are then used for any Adabas security checks that occur when you execute an application that requests access to Adabas-secured resources.
If the security check is passed, the application is allowed to access those resources that are permitted according to your Adabas security user profile.
If the security check is not passed, an Adabas security response code is returned to the application.
If you elect to access the logon dialog manually, complete the following steps:
Run the adaesi.exe executable file in the Adabas Client directories of your installation (usually \Program Files (x86)\Software AG\Adabas Client Package\vx.x.x\opt\bin).
You may want to add this to your Startup folder.
The External Security Interface Logon dialog appears, as shown below.
Supply a valid user ID and password in the User ID and Password fields and then click .
The user ID and password may be case-sensitive, depending on how the external security package is configured. In addition, the user ID and password must correspond to those known to the external security package on the z/OS node.
Once you have clicked, your logon access information is encrypted and stored. The user ID and password are not validated; the green symbol that appears on this dialog only indicates that a user ID and password combination has been supplied. Validation occurs when the user ID and password are actually used.
If your password has expired, the dialog contains the message "New Password Required". Enter a new password in the New Password field and retype the password in the Confirmation field to confirm it.
Once you have specified logon information for the external security interface, you can specify the amount of time, in minutes, that Adabas can remain inactive (no Adabas calls) before you are automatically logged out. This feature is provided to prevent unauthorized access to Adabas-secured resources when your PC is left unattended. To specify an automatic logoff time, specify a value from "0" (zero) to "1440" minutes (24 hours) in the Auto Logoff field on the external security interface logon dialog. The default value is 60 minutes.
If the Auto Logoff value is "60", you are logged off of Adabas security after 60 minutes of Adabas inactivity. When you log on again, the security check is performed as if you were logging on for the first time.
If the Auto Logoff value is "0", no automatic logoff occurs.
The user ID and password you specify on the logon dialog are encrypted and stored on the local node to confirm that you have logged on.
To modify the method used to encrypt and decrypt the external security interface logon dialog information:
Locate and edit the adacrypt.c file supplied in the Adabas Client directories included with your Entire Net-Work Client installation. This user exit file, the encryption and decryption source code, and the files required to compile and link the source code are provided in the Adabas Client directories (usually the \ProgramData\Software AG\Adabas Client Package\vx.x.x\examples\adaesi directory of the installation).
Modify the encryption and decryption code in adacrypt.c as required and then compile and link it using the files in the same Adabas Client directory.
Do not change the name of the DLL (adacrypt.dll) or the procedure name used in the encryption/decryption program.
When you elect to use the security exit to access an Adabas secured resource, the user exit must supply the logon and other access information. This security access information is then used when you attempt to use an application that accesses a secured Adabas resource. You can elect to use the external security interface online application by setting the LNKADAESI parameter (or environment variable) to blank or "NO" and specifying the user exit library and function name in the LNKADASAF parameter (or environment variable). There is no default. For more information, read Specifying the External Security Method and Appropriate Adabas SAF Security Kernel Parameters.
To modify and use the security exit:
Locate and edit the user exit (the lnkxsaf.c file) supplied in the Adabas Client directories included with your Entire Net-Work Client installation. The user exit and the files required to compile and link the source code are provided in the Adabas Client directories (usually the \ProgramData\Software AG\Adabas Client Package\vx.x.x\examples\adasaf directory of the installation).
Modify the lnkxsaf.c user exit as required and then compile and link it using the files in the same Adabas Client directory.