This section describes the facilities for securing Entire Net-Work calls to data sources. The targets that can be selectively restricted to include Adabas SQL Server, EntireX Communicator, and Entire System Server.
Targets on the host are secured by defining resource profiles representing each Adabas database, Adabas SQL Server, or EntireX Communicator target. For Adabas, resource profiles can be defined at the file level. The command type determines which access level is required for successful authorization. All read and find commands are considered as READ access. Commands requiring UPDATE access are AMEND, ERASE, and INSERT.
NETSAF recognizes three categories of Adabas direct call commands:
Data access commands (Lx, Sx and HI)
Data update commands (Ax, Ex and Nx)
The following Transaction data commands (Commands Which Access or Create ET Data):
RE commands with Option 1 set to A or I need read access;
OP commands with Command Option 2 set to E need read access;
ET, CL, and C3 commands with Command Option 2 set to E need update access.
Note:
NETSAF authorization calls are not performed when running BT
Transaction Data Commands and the Special Commands C1, C5, HI, RC and
RI.
User ID derivation is of primary importance. Because security checks are based on trusted user IDs, no password verification is normally performed. However, the user ID must exist in the security repository. In some cases, the user ID is previously authenticated in the caller's home environment or the user ID is fixed by, for example, the Entire Net-Work configuration.
This section explains the choices for user ID derivation. A user's identity can be lost if calls are routed through an intermediate gateway node.
The NWUIDW system parameter is used to specify the source of the user ID for database calls originating from a Windows client:
| Value | Description |
|---|---|
| 2 | The user ID is derived from a defined Entire Net-Work Link name. |
| 3 | The user ID is derived from a defined Entire Net-Work Node name. This is the default value. |
| 5 | All accesses use the common user ID (defined NWUSRW=name, where "WINUSER" is the default value). |
The NWUIDU system parameter is used to specify the source of the user ID for database calls originating from a UNIX client:
| Value | Description |
|---|---|
| 2 | The user ID is derived from a defined Entire Net-Work Link name. |
| 3 | The user ID is derived from a defined Entire Net-Work Node name. This is the default value. |
| 5 | All accesses use the common user ID (defined NWUSRU=name, where "UNIXUSR" is the default value). |
The NWUIDH system parameter is used to specify the source of the user ID for database calls originating from a mainframe client:
| Value | Description |
|---|---|
| 2 | The user ID is derived from the originating job name. |
| 5 | All accesses use the common user ID (defined NWUSRH=name, where "HOSTUSR" is the default value). This is the default parameter value. |
| 6 | The user ID is the CPU ID of the calling machine. |
| 7 | The user ID is derived from the local security system if ADASAF or ADAESI is installed. |
In order to secure Entire Net-Work, it is necessary to define resource profiles denoting DBID and FNR in the SAF repository. Valid access levels are READ, UPDATE, and CONTROL. CONTROL applies to SYSAOS commands, for example.
The options defined in the system parameter module during the NETSAF installation procedure determine the actual look of the resource profiles. For example, the NWFLEN parameter determines whether leading zeros are included or not. Resources are defined using upper case characters only.
The following table contains examples of resource profile definitions:
| Example | Explanation |
|---|---|
| CMD195.FIL002 | This three digit resource profile protects file 2 of database 195 and includes leading zeros. |
| CMD00019.FIL01053 | This five digit resource profile protects file 1053 of database 19 and includes leading zeros. |
| CMD19.FIL1053 | This is the same five digit resource profile with leading zeros omitted. |
| CMD01202 | This five digit resource profile protects ESQ node 1202 and includes leading zeros. |
Note:
If fixed-length Database IDs and file numbers are
used in the resource profile names (that is, the NWFLEN parameter specifies 0
or 1). File number 00000 (NWFLEN=1) or 000 (NWFLEN=0) is checked for the
relevant database. RE commands need read access; OP commands with Command
Option 2 set to E need read access; ET, CL, and C3 commands with Command Option
2 set to E need update access.
Resource profile definitions are based on a character string containing the DBID and, optionally, the FNR associated with a command. The character string may be constructed from digits that include leading zeros.
The NWFLEN system parameter is used to specify whether leading zeros are included or not. If zeros are included, either three- or five-digit numbers are used, depending on whether the DBID or the FNR can exceed 255.
| Value | Description |
|---|---|
| 0 | 3-digit resource profiles with leading zeros; this is the default value. |
| 1 | 5-digit resource profiles with leading zeros. |
| 2 | 3- and 5-digit resource profiles with no leading zeros. |
Commands routed to the Adabas SQL Server automatically generate resource checks based on the five digit DBID. Security definitions protecting Adabas SQL Server itself must always be supplied in this format. When leading zeros are suppressed, commands with no file number are not validated. These commands include OP, CL, RC, RE, ET and BT.
The NWUNI system parameter is used to allow access to resources that are not defined to the security system. Normally, access to undefined resources is prevented. Profiles representing Entire Net-Work targets are added to the security repository with either a default access or by granting access to specific users and groups. NWUNI=N is the default value.
Note:
This option does not allow access to resources that are
defined with universal access "none".
The NWSUPER system parameter is used to cause LPARs to be regarded as local access. This option is useful when the host machine is partitioned into two or more LPARs. Commands originating from a different LPAR on the same physical machine can be considered as coming from the host and therefore not subject to authorization checks. NWSUPER=N is the default value.
It is sometimes advantageous to regard a particular mainframe as "trusted". Authorization checks are not performed for commands originating from the trusted computer. The NWCPUID system parameter is used to specify the CPU ID of the trusted computer.
Each SAF based security system provides the facilities required for maintaining resource profiles. RACF enables the grouping of similar resource profiles into a resource class. CA-Top Secret and CA-ACF2 provide resource types which give equivalent functionality.
The NWCLASS system parameter is used to specify the name of the resource class or type used when performing authorization checks for Entire Net-Work. ADASEC is the default value. The maximum length of a resource name is 17 characters.
This section explains how to add resource definitions to RACF. For details about the procedures to be followed, refer to the relevant IBM manuals.
Add resource classes to the RACF Class descriptor table. Refer to the IBM SPL RACF manual. An example is given in IBM SYS1.SAMPLIB, member RACTABLE.
Classes must be allocated the maximum lengths as described above and be defined for discrete and generic profile use. Other attributes control the level of RACF logging and SMF recording when executing RACROUTE calls. Sample definitions are provided in member RACTABLE.
Update the z/OS router table. Refer to the IBM SPL RACF manual. An example is given in IBM SYS1.SAMPLIB, member RACTABLE, section RFTABLE.
Activate new resource classes with SETROPTS. Refer to the IBM RACF Command Language Reference.
For example, activate class ADASEC:
SETROPTS CLASSACT(ADASEC) SETROPTS GENCMD(ADASEC) SETROPTS GENERIC(ADASEC)
NETSAF is run as a started task or batch job. It requires a user ID that has the relevant RACF authorizations including the ability to perform RACROUTE, TYPE=EXTRACT calls on profiles belonging to the resource classes activated in Step 3 above.
Add profiles to protect the different resources and permit users the required level of access. The following RACF commands add resource profile CMD00001.FIL01234 and grant READ access to the userid "DAN":
RDEFINE ADASEC CMD00001.FIL01234 UACC(NONE) PERMIT CMD00001.FIL01234 CLASS(ADASEC) ACCESS(READ) ID(DAN)
This section explains how to define resources to CA-ACF2. For details about the procedures to be followed, refer to the relevant CA-ACF2 manuals.
NETSAF normally executes as a z/OS started task. Define the user ID of the started task to CA-ACF2 with the following attributes:
MUSASS,STC
The SAFDEF record must be inserted as follows:
SAFDEF FUNCRET(4) FUNCRSN(0) ID(SAFGWAY) MODE(GLOBAL) RACROUTE(REQUEST=AUTH SUBSYS=ADARUN- REQSTOR=- ) RETCODE(4)
Define a three-character CA-ACF2 resource type code for the general resource class name used by Entire Net-Work SAF Security Interface:
CLASMAP ENTITYLN(0) MUSID() RESOURCE(ADASEC) RSRCTYPE(ADA)
Define the required security profiles in CA-ACF2 using the new type code. In the following example, the resource CMD00001.FIL01234 is added and user ID "DAN" is given READ access:
$KEY(CMD00001.FIL01234) TYPE(ADA) UID(DAN) ALLOW SERVICE(READ)
This section explains how to define resources to CA-Top Secret. For details about the procedures to be followed, refer to the relevant CA-Top Secret documentation.
Entire Net-Work SAF Security Interface issues authorization checks against specific CA-Top Secret facilities. By default, these facilities are batch and STC.
Additional facilities can be defined by modifying pre-defined models. For example, a facility can be defined that enables development and production environments to be secured separately.
The following attributes are important and should be assigned when modifying facilities for Entire Net-Work SAF Security Interface:
NAME=fac,AUTHINIT,MULTIUSER,NONPWR,PGM=ADA,NOABEND
Add one user ID for each instance of the Entire Net-Work started task. If required, different facilities can be assigned to development and production tasks.
The designated facility is assigned to the started task user ID:
TSS CRE(userid) DEPT(dept) MASTFAC(fac)
The procedure name under which the Entire Net-Work started task executes must be defined to CA-Top Secret. Different procedure names are suggested when securing different environments separately with the use of non-default CA-Top Secret facilities:
TSS ADD(STC) PROC(proc) USER(userid)
Resource types must be added to the CA-Top Secret resource definition table (RDT). Resource definitions relating to Entire Net-Work SAF Security Interface are kept in resource type ADASEC. For a detailed explanation of the following command and arguments, refer to the CA-Top Secret Reference Guide:
TSS ADD(RDT) RESCLASS(ADASEC) RESCODE(HEXCODE) ATTR(LONG) ACLST(NONE,READ,CONTROL) DEFACC(NONE)
Assign ownership to each resource. This must be done before granting access to defined resource profiles. In the following example, ownership of resource CMD00001.FIL01234 is assigned to user ID "DAN".
TSS ADD(DAN) ADASEC(CMD00001.FIL01234)
Grant users access to resource profiles. In the following example, user ID "ELLEN" is granted READ access to an EntireX Communicator service. This enables the user to execute as a client, issuing requests to the EntireX Communicator service:
TSS PER(ELLEN) ADASEC(CMD00001.FIL01234) FAC(fac) ACCESS(READ)
The FAC (facility) argument can be omitted if Entire Net-Work SAF Security Interface operates under the Master facility Batch or STC.