This section describes how to install the SAF Security Kernel.
This document covers the following topics:
This section describes the prerequisites and considerations for installing the SAF Security Kernel.
The SAF Security Kernel is compatible with the z/OS operating system.
The SAF Security Kernel is compatible with all SAF-compliant security systems such as ACF2, RACF, and Top Secret.
The SAF Security Kernel uses the common SAF components provided on the Adabas Limited Library, widely known as the WAL libraries.
Products which require the use of the SAF Security Kernel can be used with any supported version of the WAL library. However, specific product features may require a certain version of the WAL library. The relevant product feature description indicates whenever this is the case.
The SAF Security Kernel load library and any other step libraries in its loading environment must be APF authorized.
The SAF Security Kernel is supplied as a component of the Adabas Limited Libraries (product code WAL).
| Dataset | Description |
|---|---|
| WALvrsLOAD | Standard load library containing modules (prefixed SAF*) required to operate the SAF Security Kernel. |
| WALvrsSRCE | Standard source library containing Assemble macros (prefixed NA2M*) source books and, sample input (prefixed SAF*). |
| WALvrsJOBS | Standard jobs library containing sample installation jobs (prefixed SAFI*). |
This section describes how to install the SAF Security Kernel.
(Sample Job SAFI010)
The SAFCFG configuration module is created by assembling a source member. Refer to the sample SAFPARMS member supplied on the SRCE library. This source member invokes the SAFCFG macro, also supplied on the SRCE library, specifying your site-specific options and requirements.
The SAF Security Kernel uses the settings in SAFCFG to determine:
The protected resources for each product
Security classes for resource checking
The composition of different resource profile names
The caching requirements
The resulting load module SAFCFG must be available to any job that includes the SAF Security Kernel. If appropriate, you may decide to maintain different SAFCFG modules for different secured products.
The following SAFCFG parameters are the minimum required for an initial installation of the SAF Security Kernel.
Note:
Refer to the appropriate product documentation for which the SAF Security Kernel is
being installed to determine what product specific SAFCFG parameters are required to be
set in addition to, or in conjunction with, the following parameters.
| Parameter | Description | Syntax |
|---|---|---|
GWSIZE |
The amount of storage in kilobytes used for caching user information.
Generally, size this parameter based on approximately 512 bytes per user. Individual product caching requirements affect the amount of storage required. Refer to the respective product documentation for any specific cache sizing estimations. |
GWSIZE={256|nnnn} |
| Parameter | Description | Syntax |
|---|---|---|
GWMSGL |
The tracing level used for security checks.
Valid values are:
Use the parameter These trace messages are retained for as long as the job or the dataset, to which they have been written, remains available. Deleting the job or dataset deletes the trace messages. For diagnostic and troubleshooting purposes, the content of the trace message includes the SAF User ID for which access is requested. |
GWMSGL={0|1|2|3} |
| Parameter | Description | Syntax |
|---|---|---|
GWSTYP |
The type of SAF Security system in use.
Valid values are:
|
GWSTYP={1|2|3} |
| Parameter | Description | Syntax |
|---|---|---|
SAFPRINT |
The location where the security check trace messages (see parameter
GWMSGL) are written.
Valid values are:
If you specify You must define the |
SAFPRINT={N|Y} |
(Sample Job SAFI020)
Create the SAFPSEC security module using the sample assembly job SAFI020. Specify the
appropriate STY= and REL= parameter values for your security
system.
The resulting load module SAFPSEC must be available to any job that includes the SAF Security Kernel.
| Parameter | Description | Syntax |
|---|---|---|
STY |
The type of SAF Security system in use.
Valid values are:
|
STY={RACF|TSS|ACF2} |
| Parameter | Description | Syntax |
|---|---|---|
REL |
The release level of the parameter list generated by the SAFPSEC RACROUTE macros. | REL={7730|nnnn} |
(Sample Job SAFI021)
Create the SAFPMAC environment module using the sample assembly job SAFI021 and the SRCE member SAFPOS. The resulting load module SAFPMAC must be available to any job that includes the SAF Security Kernel.
You can install the SAF Security Kernel in two modes:
Embedded within a product. The SAF Security Kernel runs in the same address space as the product.
Running in its own Daemon address space as a target in the Software AG network.
The following table shows the installation mode for the most common products:
| Product | Installation Mode |
|---|---|
| Adabas SAF Security | Embedded installation mode |
| Natural SAF Security | Daemon installation mode |
Identify which installation mode is appropriate for the product you are installing and continue with Step 4a or Step 4b accordingly.
Note:
For both installation modes, the SAF Security Kernel must run under a defined user
ID. This user ID must have sufficient authority to invoke the AUTH,
VERIFY, and EXTRACT functions of the RACROUTE external
security manager interface and to issue third-party checks on behalf of all users.
This section describes the steps for installing the SAF Security Kernel in embedded mode.
For embedded installation mode, you must only add the load library containing the SAF Security Kernel (SAFKRN) and the three load modules SAFCFG, SAFPSEC, and SAFPMAC, created in Steps 1 to 3 above, to the step library concatenation applicable to the installation of the product.
(Sample Job SAFI024)
This section describes the steps for installing the SAF Security Kernel in daemon mode.
For daemon installation mode, the SAF Security Kernel runs in its own Daemon address space using Adabas modules to establish itself as a target in the Software AG network. Consequently, the SAF Security Daemon (and therefore its Kernel) can be accessed remotely via Entire Net-Work if configured appropriately.
Software AG recommends that you run the SAF Security Daemon as a started task, although it can be run as a batch job. The SAF Security Daemon must run APF-authorized, therefore all step libraries must be APF-authorized. Sample JCL to execute the SAF Security Daemon is provided in SAFI024 in the JOBS library.
You configure the SAF Security Daemon with runtime parameters in a similar way to an Adabas nucleus – using a DDCARD input dataset at startup. A sample DDCARD input is provided in the SRCE member SAFDDCAR.
Following is an explanation of the daemon runtime parameters.
| Parameter | Description | Minimum | Maximum | Syntax |
|---|---|---|---|---|
CT |
The maximum time in seconds for interregion communication of results from the daemon to the user. | 1 | 2147483647 | CT={60|nn...} |
The maximum number of seconds (more precisely, units of 1.048576 seconds) that can elapse from the time a user request has been completed until the results are returned to the user through interregion communication.
Use this parameter to prevent a command queue element (see NC parameter)
and an attached buffer (see NABS parameter) from being held for a long
period of time for a user who has terminated abnormally.
If the CT limit is exceeded:
The command queue element and attached buffer are released.
A message ADAM93 is printed.
Response code 254 (ADARSP254) is returned to the calling user if the user is not terminated.
| Parameter | Description | Syntax |
|---|---|---|
DEFAULT |
The default product to which user requests are passed. | DEFAULT=SAF |
The DEFAULT parameter should be set to SAF.
| Parameter | Description | Syntax |
|---|---|---|
FORCE |
Specifies whether the daemon can overwrite an existing ID table entry. | FORCE={NO|YES} |
When a daemon starts up, it scans the ID table to ensure that no entry exists for the
ID specified by the NODE parameter. You can use the FORCE
parameter to indicate whether the daemon can overwrite an existing entry.
 |
Warning: Do not use the FORCE parameter unless absolutely necessary or the
integrity of the daemon could be lost. Ensure that no server of any kind is active for
the ID table entry being overwritten. |
| Parameter | Description | Syntax |
|---|---|---|
LOCAL |
Specifies whether the daemon is isolated and available for local use only. | LOCAL={NO|YES} |
If LOCAL=NO, the daemon is reachable by Entire Net-Work and therefore
accessible from remote users.
If LOCAL=YES, the daemon is unreachable by Entire Net-Work and therefore
not accessible from remote users.
| Parameter | Description | Minimum | Maximum | Syntax |
|---|---|---|---|---|
LU |
The maximum allowable size of a user request to the daemon. | none | none (see note) | LU={65535|nn..} |
The LU parameter specifies the maximum allowable size of a user request
to the daemon. It should be set to 65535.
Note:
An error occurs if the LU parameter is equal to a value greater than
the byte count implied by the NABS (number of attached buffers)
parameter. LU cannot exceed a value greater than that produced by the
following calculation: NABS_value*4096.
| Parameter | Description | Syntax |
|---|---|---|
MPMWTO |
Specifies whether the daemon issues informational messages to the operator console. | MPMWTO={NO|YES} |
If MPMWTO=NO, the daemon does not send informational messages to the
operator console.
If MPMWTO=YES, the daemon sends informational messages to the operator
console.
| Parameter | Description | Minimum | Maximum | Syntax |
|---|---|---|---|---|
NABS |
The number of attached buffers used. | 1 | 32767 | NABS={16|nn..}
|
The number of 4K storage blocks to be used for transmitting information between the
user and the daemon. If a request to the daemon fails with a response code 255,
increase the value of NABS.
| Parameter | Description | Minimum | Maximum | Syntax |
|---|---|---|---|---|
NC |
The maximum number of user request queue elements. | 1 | 32767 | NC={20|nn..} |
The maximum number of user requests that can be queued or be in process at any time.
If a request to the daemon fails with a response code 151, increase the value of
NC.
| Parameter | Description | Minimum | Maximum | Syntax |
|---|---|---|---|---|
NODE |
The physical ID of the daemon. | 1 | 65535 | NODE=nnnnn |
The physical ID of this SAF Security Daemon. Products requiring the SAF Security
Kernel to run in Daemon installation mode must specify this same Node ID to the SAFCFG
parameter GWDBID. Refer to the appropriate product documentation for more
information.
| Parameter | Description | Syntax |
|---|---|---|
PRODUCT |
Specifies the products that are available in this daemon. | PRODUCT=SAF |
The PRODUCT parameter should be set to SAF.
| Parameter | Description | Syntax |
|---|---|---|
SAF PARM |
The SAF configuration module name. | SAF
PARM={SAFCFG|aaaaaaaa} |
If you need to change the name of the default configuration module
SAFCFG (for example, you have different configuration modules with
different settings), you can specify the name of the configuration module the daemon
uses.
| Parameter | Description | Syntax |
|---|---|---|
SVC |
The Adabas SVC number used. | SVC={0|nnn}
|
The SVC number you specify must correspond to the number used for the Adabas SVC at
your installation. Valid SVC values are between 200 and
255.
| Parameter | Description | Minimum | Maximum | Syntax |
|---|---|---|---|---|
TIMER |
The frequency in seconds the daemon wakes up and looks for work. | 1 | none | TIMER={10|nnn} |
The maximum number of seconds (more precisely, units of 1.048576 seconds) that defines how often the daemon wakes up and looks for work.
Note:
The daemon wakes up automatically whenever it receives a user request or an
operator command. Only change the default when advised to do so by Software AG.