Introduction

The System Authorization Facility (SAF) is used by z/OS and compatible sites to provide rigorous control of the resources available to a user or group of users. Security packages such as RACF, CA-ACF2, and CA-Top Secret allow the system administrator to

  • maintain user identification credentials such as user ID and password; and

  • establish profiles determining the datasets, storage volumes, transactions, and reports available to a user.

The resulting security repository and the infrastructure to administer it represent a significant investment. At the same time, the volume of critical information held by a business is constantly growing, as is the number of users referencing the data. The challenge of controlling these ever-increasing accesses requires a solution that is flexible, easy to implement and, above all, one that safeguards the company's investment.

The SAF Security Kernel acts as an agent for other Software AG products such as Adabas, Natural, and Entire Net-Work. It allows them to secure resources via a SAF-compliant security system, thus enhancing the scope of the security system to enable:

  • a single control and audit system for all resources

  • a single definition of userids and passwords

  • industry standard protection of resources such as Adabas data and Natural libraries

  • maximized return on investment in the security repository

This document covers the following topics:


Architecture

A SAF security solution comprises two separate components:

  • a product-specific component which is distributed and installed with the product being protected (Adabas, Natural, Entire Net-Work or EntireX)

  • a product-independent SAF Security Kernel (the subject of this document) which may be embedded in an authorized product or operate as a separate authorized daemon

Related Documentation

For details on securing specific products such as the following, refer to the relevant product documentation:

  • Adabas SAF Security

  • Natural SAF Security

  • Entire Net-Work

  • EntireX Security

Some of these products are distributed with a copy of the SAF kernel. The individual product documentation indicates if this is the case.

Password Phrases

The SAF Security Kernel provides password phrase support with Adabas Limited (WAL) Library Version 8.3.4 (or above) for the following products:

  • Adabas SAF Security

  • Entire Net-Work

  • EntireX Security

In addition, the SAF Security Kernel provides password phrase support with Adabas Limited (WAL) Library Version 8.4.3 Load Update 1 (or above) for the following products:

  • Natural SAF Security 8.2.7 (or above) in conjunction with fix SF97005.

zIIP Support

The SAF Security Kernel is compatible with the following zIIP implementations:

  • Adabas SAF Security Version 8.2.2 (or above) running in a zIIP-enabled Adabas nucleus.

    Refer to the section Using COR-based Add-ons in the Adabas Release Notes relevant to the Adabas version you are running for any special considerations regarding this type of implementation.

  • Adabas SAF Security Version 8.2.2 (or above) running in a zIIP-enabled Adabas System Coordinator daemon (Version 8.3.1 or above).

    Refer to the section Implementing Adabas System Coordinator for zIIP in the Adabas System Coordinator z/OS Installation guide for any special considerations regarding this type of implementation.

Although the current SAF Security Kernel provides compatibility with the above zIIP implementations, enhanced zIIP support is provided with Adabas Limited (WAL) Library Version 8.4.3 Load update 1 (or above) in conjunction with Adabas SAF Security Version 8.2.2 fixes AX822013, AX822014, and AX822015.

Support for ENF Signals

With Adabas Limited Library (WAL) version 8.5 SP4 Patch level 1 and above, the SAF Security Kernel supports ENF signal types 62, 71, and 79 both when installed with another product being protected (Adabas, Natural, Entire Net-Work, EntireX) or when running in a separate authorized daemon.

  • An ENF signal type 62 may be issued to listeners when a SETROPTS RACLIST command affects in-storage profiles used for authorization checking.

  • An ENF signal type 71 may be issued to listeners when a CONNECT, REMOVE, ALTUSER REVOKE, DELUSER, or DELGROUP command has affected a user’s group connections.

  • An ENF signal type 79 may be issued to listeners when a PERMIT, RDEFINE, RALTER, or RDELETE command has affected a user’s or group’s authorizations to resources. However, note that the SAF Security Kernel only supports an ENF signal type 79 which affects a user’s authorization to resources.

Refer to your security package documentation for detailed information regarding how and when these signal types are issued.

Listening to these signals is implemented using configuration parameters, the default being not to listen. For product specific information, refer to the relevant product documentation.

Signal Listeners are automatically shut-down at job termination. To shut-down any active listeners while the job remains active, use the SSIGTERM operator command. Terminated listeners can only be restarted by stopping and restarting the job.