This section describes the various aspects of Natural remote procedure call protection; it covers the following topics:
For general information about Natural remote procedure calls, please refer to the Natural RPC documentation.
In a client/server environment, you can use Natural Security to protect the use of Natural remote procedure calls. You can protect Natural RPC servers as well as the way in which Natural RPC service requests issued by clients are handled.
An RPC service request is a request from a client to a Natural RPC server for a Natural subprogram to be invoked which is located in a library on the server.
When a remote CALLNAT is executed, and the Natural RPC
Logon Option is set on the client, the following data are passed to the Natural
RPC server for validation:
the name of the subprogram to be invoked;
the ID of the library on the server which contains the subprogram to be invoked;
the Natural RPC user ID and password (that is, the Natural user ID and password supplied with the Natural RPC service request);
the EntireX user ID (validation depends on Logon Option; see below).
See also the section Using Security in the Natural RPC documentation.
The following Natural profile parameters on a Natural RPC server should be reviewed if the server is to be protected by Natural Security:
| Profile Parameter | Explanation |
|---|---|
| RPC |
The settings for a Natural session which is started as a
Natural RPC server are determined by the Natural profile parameter
For a server to be protected by Natural Security so that
only secured requests are accepted, set the |
| FSEC |
With the profile parameter |
| ETID |
If you start the server session and specify an actual
value with the profile parameter If you start the server session with the profile parameter
If you start the server session with the profile parameter
If you start a server with replicas, the |
| AUTO |
The profile parameter If you start the server session with
|
Generally, the Natural Security user profiles and library profiles on the FSEC system file assigned to the Natural RPC server session determine the access rights to the requested library on the server.
Specifically for the protection of Natural RPC servers, Natural Security provides the following options:
In the security profile of a library, you can set various options which apply when the library is accessed via a Natural RPC service request. These options are described under Natural RPC Restrictions in the section Library Maintenance.
You can define security profiles for Natural RPC servers, as described below in the section Security Profiles for Natural RPC Servers.
In the Library Preset Values section of Administrator Services, you can set various Natural RPC Server Session Options, which control the logon to libraries via Natural RPC service requests.
This section covers the following topics:
The following situations are supported by Natural Security:
Natural RPC server protected by Natural Security only: The Natural RPC user ID is validated.
Natural RPC server protected by Natural Security and EntireX Security: The Natural RPC user ID and the EntireX user ID are validated.
Security data are supplied by the Natural client if the Natural RPC Logon Option is set. In this case the following applies:
The Natural RPC user ID and password to be used for the
service request have to be specified via the Natural application programming
interface USR1071N (contained in the library SYSEXT).
To ensure that this user ID and password are available when needed, executing
USR1071N should be one of the first tasks performed by an
application on the client. If USR1071N is not executed and the
client runs under Natural Security, the user ID and password from the Natural
Security logon on the client are used instead.
If the Impersonation option is set to
"A" in the RPC server security profile and the server has been started with
ETID=OFF, the user ID on the client is specified via the Natural
application programming interface USR4371N (contained in the
library SYSEXT). In addition, USR4371N can be used to
set the ETID for the service request.
The EntireX user ID is supplied via the Natural application
programming interface USR2071N.
The library ID to be used for the service request has to be
specified via the Natural application programming interface
USR4008N (contained in the library SYSEXT). If
USR4008N is not executed, the ID of the client library in which
the CALLNAT statement was executed is used instead.
Note:
If the Natural RPC passwords used for a service request may
contain special characters, make sure that the Natural character translation
tables NTTABA1 and NTTABA2 on the Natural RPC server
have been adjusted accordingly.
Please refer to the client's remote procedure call documentation for information on how to supply the required security data with an RPC service request issued by a non-Natural client to a
Natural RPC server protected by Natural Security;
Natural RPC server protected by Natural Security and EntireX Security.
For user authentication on the Natural RPC server, two modes are possible:
validation with impersonation,
validation without impersonation.
Impersonation assumes that access to the operating system on which a Natural RPC server is running is controlled by an SAF-compliant external security system. User authentication (verification of the Natural RPC user ID and - optionally - the password) is performed by this external security system. Impersonation means that after the authentication has been successful and the user's identity is established, any subsequent authorization checks will be performed based on this identity. This includes authorization checks for access to external resources (for example, databases or work files).
Impersonation is only possible if the Natural RPC server runs under z/OS in batch mode, or under CICS. Impersonation can be used if an SAF-compliant external security system is used, and user authentication is to be performed by this external security system.
Impersonation is activated by the Impersonation setting in the security profile of the Natural RPC server (see Components of an RPC Server Profile below).
If impersonation is not active for the Natural RPC server, Natural Security will perform a logon to the requested library, using the Natural RPC user ID. The logon is performed according to the Natural Security logon rules and the security settings defined on the FSEC system file associated with the server.
One check performed during the logon is based on the evaluation of the Natural RPC Restrictions > Logon Option in the security profile of the requested library. This option determines whether only the Natural RPC user ID or both the user ID and the password are to be verified by the Natural Security logon procedure:
If the Logon Option is set to "N" or "E", both the user ID and the password are verified.
If the Logon Option is set to "A" or
"S", only the user ID is verified - assuming that the password has already been
verified (similiar to the Natural profile parameter AUTO=ON).
In addition, if the Logon Option is set to "E" or "S", Natural Security checks if the Natural RPC user ID is identical to the EntireX user ID. If both IDs are not identical, the service request will be rejected.
After a successful logon, the requested subprogram will be executed.
If the processing of the service request includes an access to an external resource (for example, a database or work file), the external user ID which was used to start the Natural RPC server will be used to check the authorization for such an access.
Impersonation can be used if the user authentication is performed by an SAF-compliant external security system.
If impersonation is active for the Natural RPC server, the Natural server front-end passes the Natural RPC user ID and password (or the user ID only) to the external security system for verification.
After a successful user authentication by the external security system, Natural Security will perform a logon to the requested library. For this logon, Natural Security uses the Natural RPC user ID, but will not perform any password verification for this user. The logon is performed according to the Natural Security logon rules and the security settings defined on the FSEC system file associated with the server.
One check performed during the logon is based on the evaluation of the Natural RPC Restrictions > Logon Option in the security profile of the requested library: If the Logon Option is set to "E" or "S", Natural Security checks if the Natural RPC user ID is identical to the EntireX user ID. If both IDs are not identical, the RPC service request will be rejected.
After a successful logon, the requested subprogram will be executed.
If the processing of the service request includes an access to an external resource (for example, a database or work file), the Natural RPC user ID will be used to check the authorization for such an access.
If you use a Natural RPC server which provides services performed by subprograms contained in a single library, you can use the Logon Mode option in the security profile of the Natural RPC server to improve performance. This reduces the number of database accesses to the Natural Security system file FSEC.
The library on the server is set at the start of the server session, and will remain unchanged until the end of the server session. Service requests for any other library will be rejected. If the library is unprotected (People-protected = N), the user's authorization to access the library is not checked. If the library is protected (People-protected=Y), the user's authorization to access the library is checked. After a successful check, the user's conditions of use of the library are determined by the library profile. Even if a special link exists between the user and the library, any settings in the special-link profile will be ignored.
Note:
When you set Logon Mode to "S" to improve
performance, please be aware that other Natural Security settings also
influence performance, in particular the Logon recorded
option in user and library profiles. Morever, the performance of ETID-triggered
handling of database transactions cannot be optimized.
This section summarizes the checks which are performed by Natural Security depending on settings in security profiles when a service request is issued to a Natural RPC server. The following steps are performed:
User authentication is performed (see the section Validation on the Server above).
RPC server profile > the Logon Mode option is evaluated at the start of the Natural RPC server session (see the section Logon Mode above).
Library profile > General Options > the People-protected option is evaluated.
Library profile > Natural RPC Restrictions > the Logon Option is evaluated (see the section Validation on the Server above): Depending on its setting, it is checked whether the Natural RPC user ID is identical to the EntireX user ID.
RPC server profile > the Service Protection option is evaluated at the start of the Natural RPC server session.
The installation procedure of Natural Security automatically creates a default security profile with the server ID "*". This profile applies to all Natural RPC servers for which no individual security profiles are defined. You can change the settings in this default profile to suit your requirements.
Note:
Should there be no default RPC server profile "*"
in your FSEC system file (this may be the case because the file was not
available at the installation), execute the program NSCRPCAC in
the library SYSSEC. This program creates the default server
profile.
If you do not wish to define a security profile for every single server, you can use asterisk notation for the server ID: If you create a server security profile an choose as server ID a character string followed by an asterisk (*), the profile will apply to all servers whose IDs begin with that character string. For an individual server within such a range, you may still define an individual security profile.
For example, if you defined a server security profile with the ID
"A*", it would apply to all servers whose IDs begin with
"A" (such a ARPC1, AA01,
ABC, ADE etc.). A profile with the ID
"ABC*" would in turn apply to, for example, ABCA,
ABCXYZ etc.
The components of server security profiles and the functions used to create and maintain them are described below.
Some Natural Security functions use the code RP to
represent the object type "Natural RPC servers".
The following type of screen is the primary profile screen which is displayed when you invoke one of the functions Add, Copy, Modify, Display for the security profile of a Natural RPC server:
11:55:00 *** NATURAL SECURITY *** 2020-12 31
- Modify NatRPC Server -
Modified .. 2020-12-31 by SAG
NatRPC Server ... RPCS01
Description ..... __________________________________
--------------- Options -------------
Impersonation ............ (N,Y,A): Y
Lock User ................ (N,X,*): X
ETID ................. (N,*,S,F,C): S
Logon Mode ................. (N,S): S
Domain separator .................: _
Service protection ......... (R,*): *
Additional Options ... N
Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12---
Help PrevM Exit AddOp Flip Canc
|
The individual items you may define as part of a Natural RPC server's security profile are explained below.
| Field | Explanation | |
|---|---|---|
| Impersonation | Impersonation is only relevant if an SAF-compliant external security system is used for user authentication. Impersonation is described above under Validation of an RPC Service Request. This option activates impersonation for the server: | |
| N | Impersonation is not active. | |
| Y | Impersonation is active - with verification of the user ID and the password. | |
| A | Impersonation is active - with verification of the user ID, but not the password. | |
| Impersonation is only possible if the server runs under z/OS in batch mode, or under CICS. If it does not, the setting of this option will be ignored. | ||
| Lock User | This option only applies to libraries in whose security profiles the Lock User option (in the Natural RPC Restrictions section of the library profile) is set to "*". For these libraries, it controls the locking of users when they attempt to access these libraries on the server via Natural RPC service calls: | |
| N | The Lock User feature is not active. | |
| X | The Lock User feature is active for access attempts to libraries on the server via Natural RPC service calls. Once a user has reached the maximum number of logon attempts without supplying the correct password, he/she will be locked, that is, the user ID will be made "invalid". Natural Security "remembers" unsuccessful attempts across sessions: The error counters for the client user IDs which were tried out unsuccessfully are kept for access attempts in subsequent sessions, thus reducing the number of subsequent attempts with these IDs. The error counter for a user ID is only reset after a successful logon. | |
| * | The value of the Lock user option in the Library Preset Values of Administrator Services determines whether or not the Lock User feature is active for access attempts to libraries via Natural RPC service calls. | |
| For details on the Lock User feature, see also the Lock User Option in the General Options section of Administrator Services. | ||
| ETID |
This option only applies to secured service requests passed from Natural clients to the Natural RPC server. It determines which ETIDs are to be used for these clients during the server session: |
|
| N |
The Default ETID as defined in the user security profile of the Natural client determines the ETID to be used. |
|
| S |
A time-stamp-related ETID will be generated for every service request that accesses the Natural RPC server under the control of Natural Security. The ETID is generated when the server is accessed, and will remain in effect until the service request has been processed. Logons to the server are recorded. For information on time-stamp-related ETIDs, see also ETID under User Preset Values in Administrator Services. |
|
| F |
Same as "S", except that logons to the Natural RPC server are not recorded. |
|
| C |
The ETID is supplied by the client, using as ETID the
password value provided by the application programming interface
|
|
| * |
The setting of the ETID option in the User Preset Values, which applies to the user security profile, will determine the ETID to be used. |
|
|
If this option is set to any value other than "N", it is
recommended that the RPC server session be started with the Natural profile
parameter For public service requests, this option has no effect; for them, the ETID of the Natural RPC server, as established at the start of the server session, is used. |
||
| Logon Mode | This option can be used if only one library on the Natural RPC server is accessed: | |
| N |
No special logon mode applies. |
|
| S |
Static Mode applies: The library on the Natural RPC server is set at the start of the server session. It will remain unchanged until the end of the server session. The server will only process service requests for this one library. Any service request with a different library ID will be rejected. If this option is set, the conditions of use of the library are determined by the library profile. Even if a special link exists between the user and the library, any special-link profile will be ignored. |
|
|
Provided that the Natural RPC server provides services performed by subprograms contained in a single library, you can use this option to improve performance. See also Validation of an RPC Service Request above. |
||
| Domain Separator | This field is only relevant
if
The ensure that this check is performed correctly, you have to specify the domain character in this field: The check is then applied to the first 8 characters after the domain separator. |
|
| Service Protection | This option is used to restrict access to the Natural RPC server: | |
| * | Access is not restricted: All users may access the server. | |
| R | Access is restricted: Only users who are linked to the server profile may access the server. In addition, you can restrict the access to be possible only via specific services (subprograms). See Allowing/Disallowing Services for further information. | |
| Before you can reset this field from "R" to "*", you have to delete the list of allowed services you may have specified via Allowing/Disallowing Services. | ||
If you either mark the field Additional Options with "Y" or press PF4, a window will be displayed from which you can select the following options:
Maintenance Information
Security Notes
Owners
The options for which something has already been specified or defined are marked with a plus sign (+).
You can select one or more items from the window by marking them with any character. For each item selected, an additional window will be displayed:
| Additional Option | Explanation |
|---|---|
| Maintenance
Information (display only) |
In this window, the following information is
displayed:
|
| Security Notes | In this window, you may enter your notes on the security profile. |
| Owners | In this window, you may enter up to eight IDs of
administrators. Only the administrators specified here will be allowed to
maintain this server security profile.
If no owner is specified, any user of type "Administrator" may maintain the security profile. For each owner, the number of co-owners whose countersignatures will be required for maintenance permission may optionally be specified in the field after the ID. For information on owners and co-owners, see the section Countersignatures. |
This section describes the functions used to create and maintain security profiles for Natural RPC servers. It covers the following topics:
To invoke Natural RPC server maintenance:
On the Main Menu, select Maintenance.
A window will be displayed.
In the window, mark the object type Natural RPC Server with a character or with the cursor.
The Natural RPC Server Maintenance selection list will be displayed.
From this selection list, you invoke all Natural RPC server maintenance functions as described below.
To define a Natural RPC server to Natural Security, you create a security profile for it.
To do so:
In the command line of the Natural RPC Server
Maintenance selection list, enter the command
ADD.
A window will be displayed in which you enter an ID for the server.
This ID corresponds to the server name as specified with the
Natural profile parameter RPC (see
RPC Server Settings in
Natural above), and must conform to the naming conventions
for Natural RPC servers. Asterisk notation for the server ID is possible, as
described under Security Profiles for
Natural RPC Servers above.
After you have entered a valid ID, the Add Natural RPC Server screen will be displayed.
The items you may define on this screen and any additional windows that may be part of a server security profile are described under Components of an RPC Server Profile.
When you add a new server profile, the owners specified in your own user security profile are automatically copied into the server security profile.
When you invoke Natural RPC Server Maintenance, a list of all Natural RPC server profiles that have been defined to Natural Security will be displayed.
If you do not want a list of all existing profiles, but wish only certain servers to be listed, use the Start Value option as described in the section Finding Your Way In Natural Security.
On the Main Menu, select Maintenance. A window will be displayed.
In the window, mark the object type Natural RPC Server with a character or with the cursor (and, if desired, enter a start value). The Natural RPC Server Maintenance selection list will be displayed:
14:34:42 *** NATURAL SECURITY *** 2020-12-31
- NatRPC Server Maintenance - FSEC (47,11)
Co NatRPC Server Description P Message
__ ________________________________ _____________________ _ ___________________
__ A_NATRPC_SERVER_PAYROLL Department Duckville R
__ ADE_RPC Arch. Department Ge.. R
__ BEST_SERVER Third party logistics R
__ DOBANCO_SRV1 Credit transfer Ban.. R
__ EMPLOYEES_SRV1 Headquarter Server P1 *
__ ESSENHEIM_SRV1 Location Essenheim R
__ NATURAL_RPC_SERVER_NAME_32_BYTES Test SRVNAME *
__ RPC_TIME 8 * 7 Support R
__ RPC_TIME_LONG_LIFE 24 * 7 Support *
__ RPC_TIME_LONG_LIFE_B 24 * 7 Support Backup *
__ TEST_SRV0 QA env. 1 *
__ TEST_SRV1 QA env. 2 R
__ TEST_SRV2 QA env. 3 *
__ UHE_SRV Developer Test env. *
__ WWESRV *
Command ===>
Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12---
Help Exit Flip - + Canc
|
For each server, the server ID is displayed.
The list can be scrolled as described in the section Finding Your Way In Natural Security.
The following maintenance functions are available for Natural RPC server profiles (possible code abbreviations are underlined):
| Code | Function |
|---|---|
CO |
Copy server profile |
MO |
Modify server profile |
RE |
Rename server profile |
DE |
Delete server profile |
DI |
Display server profile |
LU |
Link users to server profile |
To invoke a function for a server profile, mark the server with the appropriate function code in column Co.
You may select various server profiles for various functions at the same time; that is, you can mark several servers on the screen with a function code. For each server marked, the appropriate processing screen will be displayed. You may then perform the selected functions for one server profile after another.
The Copy Server Profile function is used to define a new Natural RPC server to Natural Security by creating a security profile which is identical to an already existing Natural RPC server security profile.
All components of the existing security profile will be copied into the new security profile - except the owners (these will be copied from your own user security profile into the new server security profile).
Any links from users to the existing server will not be copied.
To copy a server profile:
On the Natural RPC Server Maintenance
selection list, mark the server whose security profile you wish to duplicate
with function code CO.
A window will be displayed in which you enter the ID of the new server.
The ID corresponds to the server name as specified with the
Natural profile parameter RPC (see
RPC Server Settings in
Natural above), and must conform to the naming conventions for
Natural RPC servers. Asterisk notation for the server ID is possible, as
described under Security Profiles for
Natural RPC Servers above.
After you have entered a valid ID, the new security profile will be displayed.
Its components which you may define or modify are described under Components of an RPC Server Profile.
The Modify Server Profile function is used to change an existing Natural RPC server security profile.
To do so:
On the Natural RPC Server Maintenance
selection list, mark the server whose security profile you wish to change with
function code MO.
The security profile of the selected server will be displayed.
Its components which you may define or modify are described under Components of an RPC Server Profile.
The Rename function allows you to change the server ID of an existing Natural RPC server security profile.
To do so:
On the Natural RPC Server Maintenance
selection list, mark the server whose ID you wish to change with function code
RE.
A window will be displayed in which you enter a new ID for the server profile.
The ID corresponds to the server name as specified with the
Natural profile parameter RPC (see
RPC Server Settings in
Natural above), and must conform to the naming conventions
for Natural RPC servers. Asterisk notation for the server ID is possible, as
described under Security Profiles for
Natural RPC Servers above.
The Delete Server Profile function is used to delete an existing Natural RPC server security profile.
To do so:
On the Natural RPC Server Maintenance
selection list, mark the server whose profile you wish to delete with function
code DE.
The Delete Server Profile window will be displayed.
If you decide against deleting the server security profile, leave the window by pressing ENTER without having typed in anything.
To delete the server security profile, enter the server ID in the window to confirm the deletion.
If you mark more than one server profile with DE, a
window will be displayed in which you are asked whether you wish to confirm the
deletion of each server security profile with entering the server ID, or
whether all server profiles selected for deletion are to be deleted without
this individual confirmation. Be careful not to delete a server profile
accidentally.
The Display Server Profile function is used to display an existing Natural RPC server security profile.
To do so:
On the Natural RPC Server Maintenance
selection list, mark the server whose security profile you wish to view with
function code DI.
The security profile of the selected server will be displayed.
Its components are explained under Components of an RPC Server Profile.
If access to a Natural RPC server is restricted by the option Service Protection in the server profile (see Components of an RPC Server Profile), you use the functions described below to allow/disallow users access to services (subprograms) on the server.
You can:
To allow/disallow a service:
On the Natural RPC Server Maintenance
selection list, mark the desired server with function code LU.
This is only possible for servers in whose security profiles Service
Protection is set to "R" (as indicated by the column "P" on the
selection list).
A window will be displayed in which you specify if the list of users to be displayed is to contain all users (U), only linked users (L), or only user who are not linked (N).
Then the list of users will be displayed.
Or:
On the User Maintenance selection list,
mark the desired user (user type A, P or G) with function code LR.
A list of all servers with Service Protection set to "R" will be displayed.
The lists can be scrolled as described in the section Finding Your Way In Natural Security.
In the Co column, mark each user/server with one of the following function codes:
| Code | Function |
|---|---|
*A
|
Allow access - The user may access the server. The access is not restricted to specific subprograms (apart from disallowed modules; see below). |
RA
|
Restrict access - The user can access the server only
via explicitly allowed services (subprograms).
The use of certain subprograms in a library can be restricted generally via the Disallow/Allow Modules section of a library or special-link profile. These restrictions apply within and without an RPC server context. That is, if a subprogram is disallowed in the library or special-link profile, it cannot be allowed in an RPC server context. However, you can further restrict access to subprograms
in an RPC server context. Access to the server is then only possible via the
subprograms explicitly allowed: If you mark a user with function code
If there already are allowed subprograms, a list of these subprograms will be displayed:
|
DA
|
Disallow access - The user cannot access the server. |
To allow/disallow a service:
On the Library Maintenance selection
list, mark the desired library with function code RA.
A window will be displayed in which you specify:
"U" to get a list of all users (user types A, P and G) who may use the library (if the library is people-protected = Y, the list contains only users who are linked to it); or
"R" to get a list of all RPC servers in whose security profiles Service Protection is set to "R".
The lists can be scrolled as described in the section Finding Your Way In Natural Security.
If you selected "U", proceed as follows:
On the list of users, mark a user with RA.
A list of all servers in whose security profiles Service Protection is set to "R" will be displayed.
Mark a server with the function code RA.
A list of all services (subprograms) in the library which the user is allowed to access will be displayed.
To allow further services, press PF5. A window will be displayed in which you specify the desired subprogram.
To disallow a service, mark it with DE on
the list.
If you selected "R", proceed as follows:
On the list of servers, mark a server with the function code
RA.
A list of all users (user types A, P and G) and the services (subprograms) in the library which they are allowed to access will be displayed.
To allow further services, press PF5. A window will be displayed in which you specify the desired user ID and subprogram (for a selection list of user IDs, you can enter an asterisk (*)).
To disallow a service, mark it with DE on
the list.
The Natural Security user exit LOGONEX4 is invoked by
the Natural Security RPC logon program after a successful logon of a Natural
RPC client to a Natural RPC server. For details, see
RPC-Related User
Exit in the section User Exits.
The Natural user exit USR2074N, contained in the
library SYSEXT, allows you to change the user password via a
Natural RPC service request.