Installation

This section describes how to install the SAF Security Kernel.

This document covers the following topics:


Prerequisites and Considerations

This section describes the prerequisites and considerations for installing the SAF Security Kernel.

Operating Systems

The SAF Security Kernel is compatible with the z/OS operating system.

Security Systems

The SAF Security Kernel is compatible with all SAF-compliant security systems such as ACF2, RACF, and Top Secret.

Software Prerequisites

The SAF Security Kernel uses the common SAF components provided on the Adabas Limited Library, widely known as the WAL libraries.

Products which require the use of the SAF Security Kernel can be used with any supported version of the WAL library. However, specific product features may require a certain version of the WAL library. The relevant product feature description indicates whenever this is the case.

APF Authorization

The SAF Security Kernel load library and any other step libraries in its loading environment must be APF authorized.

Installation Datasets

The SAF Security Kernel is supplied as a component of the Adabas Limited Libraries (product code WAL).

Dataset Description
WALvrsLOAD Standard load library containing modules (prefixed SAF*) required to operate the SAF Security Kernel.
WALvrsSRCE Standard source library containing Assemble macros (prefixed NA2M*) source books and, sample input (prefixed SAF*).
WALvrsJOBS Standard jobs library containing sample installation jobs (prefixed SAFI*).

Installation Procedure

This section describes how to install the SAF Security Kernel.

Step 1: Creating the SAFCFG Configuration Module

(Sample Job SAFI010)

The SAFCFG configuration module is created by assembling a source member. Refer to the sample SAFPARMS member supplied on the SRCE library. This source member invokes the SAFCFG macro, also supplied on the SRCE library, specifying your site-specific options and requirements.

The SAF Security Kernel uses the settings in SAFCFG to determine:

  • The protected resources for each product

  • Security classes for resource checking

  • The composition of different resource profile names

  • The caching requirements

The resulting load module SAFCFG must be available to any job that includes the SAF Security Kernel. If appropriate, you may decide to maintain different SAFCFG modules for different secured products.

The following SAFCFG parameters are the minimum required for an initial installation of the SAF Security Kernel.

Note:
Refer to the appropriate product documentation for which the SAF Security Kernel is being installed to determine what product specific SAFCFG parameters are required to be set in addition to, or in conjunction with, the following parameters.

GWSIZE: Storage Size for Caching User Information

Parameter Description Syntax
GWSIZE The amount of storage in kilobytes used for caching user information.

Generally, size this parameter based on approximately 512 bytes per user.

Individual product caching requirements affect the amount of storage required. Refer to the respective product documentation for any specific cache sizing estimations.

GWSIZE={256|nnnn}

GWMSGL: Trace Level for Security Checking

Parameter Description Syntax
GWMSGL The tracing level used for security checks.

Valid values are:

  • 0 – no tracing

  • 1 – trace violations only

  • 2 – trace successful checks only

  • 3 – trace all checks

Use the parameter SAFPRINT to control where the trace messages are written and, for an interpretation of the trace message content, refer to section Interpreting Trace Messages in the SAF Security Kernel documentation.

These trace messages are retained for as long as the job or the dataset, to which they have been written, remains available. Deleting the job or dataset deletes the trace messages. For diagnostic and troubleshooting purposes, the content of the trace message includes the SAF User ID for which access is requested.

GWMSGL={0|1|2|3}

GWSTYP: SAF Security System Type

Parameter Description Syntax
GWSTYP The type of SAF Security system in use.

Valid values are:

  • 1 – RACF

  • 2 – Top Secret

  • 3 – ACF2

GWSTYP={1|2|3}

SAFPRINT: Security Check Trace Message Printing

Parameter Description Syntax
SAFPRINT The location where the security check trace messages (see parameter GWMSGL) are written.

Valid values are:

  • N – security check trace messages are written to DD DDPRINT

  • Y – security check trace messages are written to DD SAFPRINT

If you specify SAFPRINT=Y, but you miss to provide a SAFPRINT dataset, trace messages are written to DDPRINT.

You must define the SAFPRINT dataset in the SAF Security Daemon JCL. The dataset might refer to a SYSOUT dataset or to a file defined with RECFM=F (or FB) and LRECL=121.

SAFPRINT={N|Y}

Step 2: Creating the SAFPSEC Security Module

(Sample Job SAFI020)

Create the SAFPSEC security module using the sample assembly job SAFI020. Specify the appropriate STY= and REL= parameter values for your security system.

The resulting load module SAFPSEC must be available to any job that includes the SAF Security Kernel.

STY: SAF Security System Type

Parameter Description Syntax
STY The type of SAF Security system in use.

Valid values are:

  • RACF

  • TSS – Top Secret

  • ACF2

STY={RACF|TSS|ACF2}

REL: Release level of parameter list generated by RACROUTE

Parameter Description Syntax
REL The release level of the parameter list generated by the SAFPSEC RACROUTE macros. REL={7730|nnnn}

Step 3: Creating the SAFPMAC environment module

(Sample Job SAFI021)

Create the SAFPMAC environment module using the sample assembly job SAFI021 and the SRCE member SAFPOS. The resulting load module SAFPMAC must be available to any job that includes the SAF Security Kernel.

Step 4: Identifying the Appropriate Installation Mode

You can install the SAF Security Kernel in two modes:

  • Embedded within a product. The SAF Security Kernel runs in the same address space as the product.

  • Running in its own Daemon address space as a target in the Software AG network.

The following table shows the installation mode for the most common products:

Product Installation Mode
Adabas SAF Security Embedded installation mode
Natural SAF Security Daemon installation mode

Identify which installation mode is appropriate for the product you are installing and continue with Step 4a or Step 4b accordingly.

Note:
For both installation modes, the SAF Security Kernel must run under a defined user ID. This user ID must have sufficient authority to invoke the AUTH, VERIFY, and EXTRACT functions of the RACROUTE external security manager interface and to issue third-party checks on behalf of all users.

Step 4a: Embedded Installation Mode

This section describes the steps for installing the SAF Security Kernel in embedded mode.

For embedded installation mode, you must only add the load library containing the SAF Security Kernel (SAFKRN) and the three load modules SAFCFG, SAFPSEC, and SAFPMAC, created in Steps 1 to 3 above, to the step library concatenation applicable to the installation of the product.

Step 4b: Daemon Installation Mode

(Sample Job SAFI024)

This section describes the steps for installing the SAF Security Kernel in daemon mode.

For daemon installation mode, the SAF Security Kernel runs in its own Daemon address space using Adabas modules to establish itself as a target in the Software AG network. Consequently, the SAF Security Daemon (and therefore its Kernel) can be accessed remotely via Entire Net-Work if configured appropriately.

Software AG recommends that you run the SAF Security Daemon as a started task, although it can be run as a batch job. The SAF Security Daemon must run APF-authorized, therefore all step libraries must be APF-authorized. Sample JCL to execute the SAF Security Daemon is provided in SAFI024 in the JOBS library.

Daemon Runtime Parameters

You configure the SAF Security Daemon with runtime parameters in a similar way to an Adabas nucleus – using a DDCARD input dataset at startup. A sample DDCARD input is provided in the SRCE member SAFDDCAR.

Following is an explanation of the daemon runtime parameters.

CT Parameter: Command Timeout Limit

Parameter Description Minimum Maximum Syntax
CT The maximum time in seconds for interregion communication of results from the daemon to the user. 1 2147483647 CT={60|nn...}

The maximum number of seconds (more precisely, units of 1.048576 seconds) that can elapse from the time a user request has been completed until the results are returned to the user through interregion communication.

Use this parameter to prevent a command queue element (see NC parameter) and an attached buffer (see NABS parameter) from being held for a long period of time for a user who has terminated abnormally.

If the CT limit is exceeded:

  • The command queue element and attached buffer are released.

  • A message ADAM93 is printed.

  • Response code 254 (ADARSP254) is returned to the calling user if the user is not terminated.

DEFAULT Parameter: Default Product

Parameter Description Syntax
DEFAULT The default product to which user requests are passed. DEFAULT=SAF

The DEFAULT parameter should be set to SAF.

FORCE Parameter: Allow Daemon ID Table Overwrite

Parameter Description Syntax
FORCE Specifies whether the daemon can overwrite an existing ID table entry. FORCE={NO|YES}

When a daemon starts up, it scans the ID table to ensure that no entry exists for the ID specified by the NODE parameter. You can use the FORCE parameter to indicate whether the daemon can overwrite an existing entry.

Warning:
Do not use the FORCE parameter unless absolutely necessary or the integrity of the daemon could be lost. Ensure that no server of any kind is active for the ID table entry being overwritten.

LOCAL Parameter: Local Daemon

Parameter Description Syntax
LOCAL Specifies whether the daemon is isolated and available for local use only. LOCAL={NO|YES}

If LOCAL=NO, the daemon is reachable by Entire Net-Work and therefore accessible from remote users.

If LOCAL=YES, the daemon is unreachable by Entire Net-Work and therefore not accessible from remote users.

LU Parameter: Maximum Size of User Request

Parameter Description Minimum Maximum Syntax
LU The maximum allowable size of a user request to the daemon. none none (see note) LU={65535|nn..}

The LU parameter specifies the maximum allowable size of a user request to the daemon. It should be set to 65535.

Note:
An error occurs if the LU parameter is equal to a value greater than the byte count implied by the NABS (number of attached buffers) parameter. LU cannot exceed a value greater than that produced by the following calculation: NABS_value*4096.

MPMWTO Parameter: Daemon Informational Messages

Parameter Description Syntax
MPMWTO Specifies whether the daemon issues informational messages to the operator console. MPMWTO={NO|YES}

If MPMWTO=NO, the daemon does not send informational messages to the operator console.

If MPMWTO=YES, the daemon sends informational messages to the operator console.

NABS Parameter: Number of Attached Buffers

Parameter Description Minimum Maximum Syntax
NABS The number of attached buffers used. 1 32767 NABS={16|nn..}

The number of 4K storage blocks to be used for transmitting information between the user and the daemon. If a request to the daemon fails with a response code 255, increase the value of NABS.

NC Parameter: Number of User Request Queue Elements

Parameter Description Minimum Maximum Syntax
NC The maximum number of user request queue elements. 1 32767 NC={20|nn..}

The maximum number of user requests that can be queued or be in process at any time. If a request to the daemon fails with a response code 151, increase the value of NC.

NODE Parameter: Daemon Identification

Parameter Description Minimum Maximum Syntax
NODE The physical ID of the daemon. 1 65535 NODE=nnnnn

The physical ID of this SAF Security Daemon. Products requiring the SAF Security Kernel to run in Daemon installation mode must specify this same Node ID to the SAFCFG parameter GWDBID. Refer to the appropriate product documentation for more information.

PRODUCT Parameter: Product Availabililty

Parameter Description Syntax
PRODUCT Specifies the products that are available in this daemon. PRODUCT=SAF

The PRODUCT parameter should be set to SAF.

SAF PARM Parameter: SAF Configuration Module Name

Parameter Description Syntax
SAF PARM The SAF configuration module name. SAF PARM={SAFCFG|aaaaaaaa}

If you need to change the name of the default configuration module SAFCFG (for example, you have different configuration modules with different settings), you can specify the name of the configuration module the daemon uses.

SVC Parameter: SVC Number

Parameter Description Syntax
SVC The Adabas SVC number used. SVC={0|nnn}

The SVC number you specify must correspond to the number used for the Adabas SVC at your installation. Valid SVC values are between 200 and 255.

TIMER Parameter: Daemon Wake Up Frequency

Parameter Description Minimum Maximum Syntax
TIMER The frequency in seconds the daemon wakes up and looks for work. 1 none TIMER={10|nnn}

The maximum number of seconds (more precisely, units of 1.048576 seconds) that defines how often the daemon wakes up and looks for work.

Note:
The daemon wakes up automatically whenever it receives a user request or an operator command. Only change the default when advised to do so by Software AG.