Installing Natural SAF Security on z/OS

This document describes the steps for installing Natural SAF Security (product code NSF) on z/OS.

Related Topic:

For information on the features and functions provided by Natural SAF Security, see the Natural SAF Security documentation.

Notation vrs or vr:

When used in this document, the notation vrs or vr represents the relevant product version (see also Version in the Glossary).

Prerequisites

Supported versions of the following products must be installed before you can install Natural SAF Security:

  • Natural Security

  • Adabas

  • Adabas Limited Libraries

  • SAF-compliant security system

See also General Prerequisites and System Support in the section Overview of the Installation Process.

Installation Medium

The installation medium contains the following data sets required for product installation:

Data Set Contents
NSFvrs.LOAD Load modules
NSFvrs.INPL Natural objects

Copy the data sets into your environment as described in Copying Data Sets to a z/OS Disk in the section Installing Natural.

Sample Jobs

Sample installation jobs are contained in the NATvrs.JOBS data set and are prefixed with the product code. The data set is provided on the installation medium supplied for base Natural.

Installation Procedure

Be sure to read Installation Process and Major Natural Features before you start the installation procedure.

Step 1: Load the Natural Objects

(Job I005)

  • Load the Natural objects specific to Natural SAF Security from the NSFvrs.INPL data set into the appropriate Natural libraries in your FNAT system file by using the Natural INPL utility.

Step 2: Build the Natural Parameter Module

(Job I060, Step 0010)

Build the Natural parameter module. The parameters and macros mentioned in this section are described in the Parameter Reference documentation.

  1. Specify the following with the NTDS macro: 

    NTDS NSFSIZE,8

    8 KB is the minimum NSFSIZE value. Depending on your usage of Natural SAF Security, a higher value may be required, which can be calculated as follows:

    4 KB + (e * 17 bytes) + ((p + r) * 8 bytes), rounded up to the next KB

    where:
    e is the number of protected environments,
    p is the number of protected Natural objects,
    r is the number of protected RPC services.

    You can also use the dynamic profile parameter DS to specify NSFSIZE at the start of a Natural session: 

    DS=(NSFSIZE,8)

  2. If you want to use Natural SAF Security to control the execution of Natural objects, specify the following in the NTRDC macro of the Natural parameter module: 

    NTRDC SIZE=2,EXIT=(RDCEX3,2000)

    You can also use the corresponding dynamic profile parameter RDC to specify the parameter at the start of a Natural session: 

    RDC=(SIZE=2,EXIT=(RDCEX3,2000))

    Note:
    If this feature is used, you have to either link the Natural SAF Security module NSFNUC to the Natural parameter module or to the nucleus (in the case of an environment-independent nucleus, to the environment-independent part).

  3. Assemble and link the Natural parameter module.

Step 3: Relink the Nucleus

(Job I060, I080)

Adapt the link steps for Natural:

  1. Add the following INCLUDE statement to the link of the nucleus to include Natural SAF Security modules: 

    INCLUDE NSFLIB(NSFNUC)

    If you are using a shared nucleus, include this statement in the link of the shared part.

  2. Add the corresponding DD statement:

    //NSFLIB DD DSN=NSFvrs.LOAD,DISP=SHR

  3. Relink your nucleus as described in Link the Nucleus in Installing Natural.

Step 4: Install the SAF Server

The SAF Server also known as the SAF Security Daemon executes in its own address space as a target in the Software AG network. Operating within the daemon is the SAF Security Kernel. The SAF Security Daemon and the SAF Security Kernel are delivered with the Adabas Limited Libraries (product code WAL).

Refer to the SAF Security Kernel documentation for information on how to install the SAF Security Kernel in daemon installation mode and how to configure it using the SAFCFG configuration module.

For the correct operation of Natural SAF Security you must consider the following SAFCFG parameters.

GWDBID: Node ID of the SAF Security Daemon

Parameter Description Syntax
GWDBID Node ID of the SAF Security Daemon.

The node ID defined for GWDBID must be the same as the node ID defined to the SAF Security Daemon runtime parameter NODE= (assigned during the installation of the SAF Security Kernel in daemon mode) and the Server ID defined in the General NSF Options 1 screen of the Administrator Services.

GWDBID={1234|nnnnn}

GWSIZE: Storage Size for Caching User Information

Parameter Description Syntax
GWSIZE The amount of storage in kilobytes used for caching user information.

Generally, size this parameter based on approximately 512 bytes per user.

The number of cached checks set by SAFCFG parameters NANUPG, NANURP, NANUSF, and NANUTC affects the usage of this storage. Refer to the corresponding explanation below for more information on each of these parameters.

Use SAF Online Services to determine the efficiency of the current value by monitoring the number of checks overwritten in the System Statistics menu option.

GWSIZE= {256|nnnn}

NACKPG: Programming Object Protection

NACKRP: RPC Services Protection

NACKSF: Environment Protection

NACKTC: Library Protection

Parameter Description Syntax
NACKPG NACKRP NACKSF NACKTC These parameters are redundant.

The protection options originally offered by these parameters can only be set online using the General NSF Options 2 screen of the Administrator Services.

Any value (Y or N) defined to these parameters is ignored.

When Natural SAF Security first connects to the SAF Security Daemon, the administrator defined protection options are dynamically passed to the SAF Security Daemon.

NACKxx={N|Y}

NACLAP: Resource Class Name for User-Defined Resources

Parameter Description Syntax
NACLAP The name of the resource class used in authorization checks against User-Defined Resources.

The name can be up to eight alphanumeric characters.

Refer to User-Defined Resources for more information.

NACLAP={NPGSAG|aa..}

NACLPG: Resource Class Name for Programming Objects

Parameter Description Syntax
NACLPG The name of the resource class used in authorization checks against Programming Objects.

The name can be up to eight alphanumeric characters.

Refer to Programming Objects for more information.

NACLPG={NPGSAG|aa..}

NACLRP: Resource Class Name for RPC Services

Parameter Description Syntax
NACLRP The name of the resource class used in authorization checks against RPC Services.

The name can be up to eight alphanumeric characters.

Refer to RPC Services for more information.

NACLRP={NRPSAG|aa..}

NACLSF: Resource Class Name for Environments

Parameter Description Syntax
NACLSF The name of the resource class used in authorization checks against Environments.

The name can be up to eight alphanumeric characters.

Refer to Environments for more information.

NACLSF={NSFSAG|aa..}

NACLTC: Resource Class Name for Libraries

Parameter Description Syntax
NACLTC The name of the resource class used in authorization checks against Libraries.

The name can be up to eight alphanumeric characters.

Refer to Libraries for more information.

NACLTC={NTCSAG|aa..}

NAFLEN: Format of Database ID and File Number in Environment Profiles

Parameter Description Syntax
NAFLEN The format of the Database ID and File number in Environment resource profiles.

Valid values are:

  • 0 – 3 digits with leading zeros

  • 1 – 5 digits with leading zeros

Note:
Set this parameter to 1 to support 5-digit large databases and file numbers.

Refer to Environments for more information.

NAFLEN={0|1}

NANUPG: Number of cached Programming Object Checks

Parameter Description Minimum Maximum Syntax
NANUPG This is the number of successful Programming object checks to be cached.

Each cached check takes approximately 23 bytes from the storage size specified by the SAFCFG parameter GWSIZE.

Use SAF Online Services to determine the efficiency of the current value by monitoring the number of checks overwritten in the System Statistics menu option.

For more information on programming objects, refer to the Protect Natural Modules option in Library Options.

0 32767 NANUPG={0|nnnnn}

NANURP: Number of cached RPC Service Checks

Parameter Description Minimum Maximum Syntax
NANURP This is the number of successful RPC service checks to be cached.

Each cached check takes approximately 26 bytes from the storage size specified by the SAFCFG parameter GWSIZE.

Use SAF Online Services to determine the efficiency of the current value by monitoring the number of checks overwritten in the System Statistics menu option.

For more information on RPC service checks, refer to RPC Options.

0 32767 NANURP={0|nnnnn}

NANUSF: Number of cached Environment Checks

Parameter Description Minimum Maximum Syntax
NANUSF This is the number of successful Environment checks to be cached.

Each cached check takes approximately 40 bytes from the storage size specified by the SAFCFG parameter GWSIZE.

Use SAF Online Services to determine the efficiency of the current value by monitoring the number of checks overwritten in the System Statistics menu option.

For more information on Environment checks, refer to Environment Options.

0 32767 NANUSF={0|nnnnn}

NANUTC: Number of cached Library Checks

Parameter Description Minimum Maximum Syntax
NANUTC This is the number of successful Library checks to be cached.

Each cached check takes approximately 10 bytes from the storage size specified by the SAFCFG parameter GWSIZE.

Use SAF Online Services to determine the efficiency of the current value by monitoring the number of checks overwritten in the System Statistics menu option.

For more information on Library checks, refer to Library Options.

0 32767 NANUTC={0|nnnnn}

Installation Verification

Natural SAF Security is operational after Step 4: Install the SAF Server of the Installation Procedure has been completed successfully.

After the installation, proceed as described in Activating Natural SAF Security in the Natural SAF Security documentation.