Securing Entire Net-Work

This section describes the facilities for securing Entire Net-Work calls to data sources. The targets that can be selectively restricted to include Adabas SQL Server, EntireX Communicator, and Entire System Server.


Command Protection

Targets on the host are secured by defining resource profiles representing each Adabas database, Adabas SQL Server, or EntireX Communicator target. For Adabas, resource profiles can be defined at the file level. The command type determines which access level is required for successful authorization. All read and find commands are considered as READ access. Commands requiring UPDATE access are AMEND, ERASE, and INSERT.

NETSAF recognizes three categories of Adabas direct call commands:

  1. Data access commands (Lx, Sx and HI)

  2. Data update commands (Ax, Ex and Nx)

  3. The following Transaction data commands (Commands Which Access or Create ET Data):

    • RE commands with Option 1 set to A or I need read access;

    • OP commands with Command Option 2 set to E need read access;

    • ET, CL, and C3 commands with Command Option 2 set to E need update access.

    Note:
    NETSAF authorization calls are not performed when running BT Transaction Data Commands and the Special Commands C1, C5, HI, RC and RI.

Derivation of User ID

User ID derivation is of primary importance. Because security checks are based on trusted user IDs, no password verification is normally performed. However, the user ID must exist in the security repository. In some cases, the user ID is previously authenticated in the caller's home environment or the user ID is fixed by, for example, the Entire Net-Work configuration.

This section explains the choices for user ID derivation. A user's identity can be lost if calls are routed through an intermediate gateway node.

Windows Clients

The NWUIDW system parameter is used to specify the source of the user ID for database calls originating from a Windows client:

graphics/nwuidw.png

Value Description
2 The user ID is derived from a defined Entire Net-Work Link name.
3 The user ID is derived from a defined Entire Net-Work Node name. This is the default value.
5 All accesses use the common user ID (defined NWUSRW=name, where "WINUSER" is the default value).

UNIX Clients

The NWUIDU system parameter is used to specify the source of the user ID for database calls originating from a UNIX client:

graphics/nwuidu.png

Value Description
2 The user ID is derived from a defined Entire Net-Work Link name.
3 The user ID is derived from a defined Entire Net-Work Node name. This is the default value.
5 All accesses use the common user ID (defined NWUSRU=name, where "UNIXUSR" is the default value).

Mainframe Clients

The NWUIDH system parameter is used to specify the source of the user ID for database calls originating from a mainframe client:

graphics/nwuidh.png

Value Description
2 The user ID is derived from the originating job name.
5 All accesses use the common user ID (defined NWUSRH=name, where "HOSTUSR" is the default value). This is the default parameter value.
6 The user ID is the CPU ID of the calling machine.
7 The user ID is derived from the local security system if ADASAF or ADAESI is installed.

Defining Resource Profiles

In order to secure Entire Net-Work, it is necessary to define resource profiles denoting DBID and FNR in the SAF repository. Valid access levels are READ, UPDATE, and CONTROL. CONTROL applies to SYSAOS commands, for example.

The options defined in the system parameter module during the NETSAF installation procedure determine the actual look of the resource profiles. For example, the NWFLEN parameter determines whether leading zeros are included or not. Resources are defined using upper case characters only.

The following table contains examples of resource profile definitions:

Example Explanation
CMD195.FIL002 This three digit resource profile protects file 2 of database 195 and includes leading zeros.
CMD00019.FIL01053 This five digit resource profile protects file 1053 of database 19 and includes leading zeros.
CMD19.FIL1053 This is the same five digit resource profile with leading zeros omitted.
CMD01202 This five digit resource profile protects ESQ node 1202 and includes leading zeros.

Note:
If fixed-length Database IDs and file numbers are used in the resource profile names (that is, the NWFLEN parameter specifies 0 or 1). File number 00000 (NWFLEN=1) or 000 (NWFLEN=0) is checked for the relevant database. RE commands need read access; OP commands with Command Option 2 set to E need read access; ET, CL, and C3 commands with Command Option 2 set to E need update access.

NWFLEN Parameter

graphics/nwflen.png

Resource profile definitions are based on a character string containing the DBID and, optionally, the FNR associated with a command. The character string may be constructed from digits that include leading zeros.

The NWFLEN system parameter is used to specify whether leading zeros are included or not. If zeros are included, either three- or five-digit numbers are used, depending on whether the DBID or the FNR can exceed 255.

Value Description
0 3-digit resource profiles with leading zeros; this is the default value.
1 5-digit resource profiles with leading zeros.
2 3- and 5-digit resource profiles with no leading zeros.

Commands routed to the Adabas SQL Server automatically generate resource checks based on the five digit DBID. Security definitions protecting Adabas SQL Server itself must always be supplied in this format. When leading zeros are suppressed, commands with no file number are not validated. These commands include OP, CL, RC, RE, ET and BT.

NWUNI Parameter

graphics/nwuni.png

The NWUNI system parameter is used to allow access to resources that are not defined to the security system. Normally, access to undefined resources is prevented. Profiles representing Entire Net-Work targets are added to the security repository with either a default access or by granting access to specific users and groups. NWUNI=N is the default value.

Note:
This option does not allow access to resources that are defined with universal access "none".

NWSUPER Parameter

graphics/nwsuper.png

The NWSUPER system parameter is used to cause LPARs to be regarded as local access. This option is useful when the host machine is partitioned into two or more LPARs. Commands originating from a different LPAR on the same physical machine can be considered as coming from the host and therefore not subject to authorization checks. NWSUPER=N is the default value.

NWCPUID Parameter

graphics/nwcpuid.png

It is sometimes advantageous to regard a particular mainframe as "trusted". Authorization checks are not performed for commands originating from the trusted computer. The NWCPUID system parameter is used to specify the CPU ID of the trusted computer.

NWCLASS Parameter

graphics/nwclass.png

Each SAF based security system provides the facilities required for maintaining resource profiles. RACF enables the grouping of similar resource profiles into a resource class. CA-Top Secret and CA-ACF2 provide resource types which give equivalent functionality.

The NWCLASS system parameter is used to specify the name of the resource class or type used when performing authorization checks for Entire Net-Work. ADASEC is the default value. The maximum length of a resource name is 17 characters.

Defining Resources to RACF

This section explains how to add resource definitions to RACF. For details about the procedures to be followed, refer to the relevant IBM manuals.

Step 1. Add Classes to Class Descriptor Table

Add resource classes to the RACF Class descriptor table. Refer to the IBM SPL RACF manual. An example is given in IBM SYS1.SAMPLIB, member RACTABLE.

Classes must be allocated the maximum lengths as described above and be defined for discrete and generic profile use. Other attributes control the level of RACF logging and SMF recording when executing RACROUTE calls. Sample definitions are provided in member RACTABLE.

Step 2. Update z/OS Router Table

Update the z/OS router table. Refer to the IBM SPL RACF manual. An example is given in IBM SYS1.SAMPLIB, member RACTABLE, section RFTABLE.

Step 3. Activate New Classes

Activate new resource classes with SETROPTS. Refer to the IBM RACF Command Language Reference.

For example, activate class ADASEC:

SETROPTS CLASSACT(ADASEC)
SETROPTS GENCMD(ADASEC)
SETROPTS GENERIC(ADASEC)

Step 4. Assign a User ID for the Started Task

NETSAF is run as a started task or batch job. It requires a user ID that has the relevant RACF authorizations including the ability to perform RACROUTE, TYPE=EXTRACT calls on profiles belonging to the resource classes activated in Step 3 above.

Step 5. Permit Users Access to Resource Profiles

Add profiles to protect the different resources and permit users the required level of access. The following RACF commands add resource profile CMD00001.FIL01234 and grant READ access to the userid "DAN":

RDEFINE ADASEC CMD00001.FIL01234 UACC(NONE)
PERMIT CMD00001.FIL01234 CLASS(ADASEC) ACCESS(READ) ID(DAN)

Defining Resources to CA-ACF2 Version 5

This section explains how to define resources to CA-ACF2 version 5. For details about the procedures to be followed, refer to the relevant CA-ACF2 manuals.

Step 1. Add Task User ID to CA-ACF2

NETSAF normally executes as a z/OS started task. Define the user ID of the started task to CA-ACF2 with the following attributes:

MUSASS,NON-CNCL,STC

To avoid using the NON-CNCL attribute, APAR TW95626 must be applied.

Step 2. Activate the SAF Interface

Use the following command to activate the SAF Interface:

GSO OPTS - SAF

Step 3. Insert the SAFSAVE Record

Switch off all SAF checks:

SAFSAVE CLASSES(-) CNTLPTS(-) SUBSYS(-)

Step 4. Insert the SAFPROT Record

Switch on the SAF security checks for Entire Net-Work SAF Security Interface:

CLASSES(-) CNTLPTS(-) SUBSYS(ADARUN)

Step 5. Insert the SAFMAPS Record

Define a three-character CA-ACF2 resource type code for the general resource class name used by Entire Net-Work SAF Security Interface:

SAFMAPS MAPS(ADA/ADASEC)

Step 6. Define Resource Rules

Define the required security profiles in CA-ACF2 using the new type code. In the following example, the resource CMD00001.FIL01234 is added and user ID "DAN" is given READ access:

$KEY(CMD00001.FIL01234) TYPE(ADA) UID(DAN) ALLOW SERVICE(READ) 

Defining Resources to CA-ACF2 Version 6

This section explains how to define resources to CA-ACF2 version 6. For details about the procedures to be followed, refer to the relevant CA-ACF2 manuals.

Step 1. Add Task User ID to CA-ACF2

NETSAF normally executes as a z/OS started task. Define the user ID of the started task to CA-ACF2 with the following attributes:

MUSASS,STC

Because CA-ACF2 version 6 is more SAF-compliant than version 5, TW95626 is not required.

Step 2. Insert the SAFDEF Record

The SAFDEF record must be inserted as follows:

SAFDEF FUNCRET(4) FUNCRSN(0) ID(SAFGWAY) MODE(GLOBAL)
RACROUTE(REQUEST=AUTH SUBSYS=ADARUN- REQSTOR=- )
RETCODE(4) 

Step 3. Insert the CLASMAP Record

Define a three-character CA-ACF2 resource type code for the general resource class name used by Entire Net-Work SAF Security Interface:

CLASMAP
ENTITYLN(0) MUSID() RESOURCE(ADASEC) RSRCTYPE(ADA) 

Step 4. Define Resource Rules

Define the required security profiles in CA-ACF2 using the new type code. In the following example, the resource CMD00001.FIL01234 is added and user ID "DAN" is given READ access:

$KEY(CMD00001.FIL01234) TYPE(ADA) UID(DAN) ALLOW SERVICE(READ)

Defining Resources to CA-Top Secret

This section explains how to define resources to CA-Top Secret. For details about the procedures to be followed, refer to the relevant CA-Top Secret documentation.

Step 1. Assign Additional CA-Top Secret Facilities

Entire Net-Work SAF Security Interface issues authorization checks against specific CA-Top Secret facilities. By default, these facilities are batch and STC.

Additional facilities can be defined by modifying pre-defined models. For example, a facility can be defined that enables development and production environments to be secured separately.

The following attributes are important and should be assigned when modifying facilities for Entire Net-Work SAF Security Interface:

NAME=fac,AUTHINIT,MULTIUSER,NONPWR,PGM=ADA,NOABEND

Step 2. Assign a User ID for the Started Task

Add one user ID for each instance of the Entire Net-Work started task. If required, different facilities can be assigned to development and production tasks.

The designated facility is assigned to the started task user ID:

TSS CRE(userid) DEPT(dept) MASTFAC(fac)

Step 3. Add a Procedure Name for the Started Task

The procedure name under which the Entire Net-Work started task executes must be defined to CA-Top Secret. Different procedure names are suggested when securing different environments separately with the use of non-default CA-Top Secret facilities:

TSS ADD(STC) PROC(proc) USER(userid)

Step 4. Add Resource Type to Resource Definition Table

Resource types must be added to the CA-Top Secret resource definition table (RDT). Resource definitions relating to Entire Net-Work SAF Security Interface are kept in resource type ADASEC. For a detailed explanation of the following command and arguments, refer to the CA-Top Secret Reference Guide:

TSS ADD(RDT) RESCLASS(ADASEC)
RESCODE(HEXCODE)
ATTR(LONG)
ACLST(NONE,READ,CONTROL)
DEFACC(NONE)

Step 5. Assign Ownership of Resources

Assign ownership to each resource. This must be done before granting access to defined resource profiles. In the following example, ownership of resource CMD00001.FIL01234 is assigned to user ID "DAN".

TSS ADD(DAN) ADASEC(CMD00001.FIL01234)

Step 6. Grant Access to Defined Resources

Grant users access to resource profiles. In the following example, user ID "ELLEN" is granted READ access to an EntireX Communicator service. This enables the user to execute as a client, issuing requests to the EntireX Communicator service:

TSS PER(ELLEN) ADASEC(CMD00001.FIL01234) FAC(fac)
ACCESS(READ)

The FAC (facility) argument can be omitted if Entire Net-Work SAF Security Interface operates under the Master facility Batch or STC.