This document covers the following topics:
This section describes the steps for installing EntireX Security for Broker kernel under z/OS. The installation procedure has the following steps:
To modify the Broker attribute file
Insert the following parameter in the section
DEFAULTS=BROKER of the Broker attribute file:
Modify the Security-specific attributes section of the Broker attribute file according to your requirements. These parameters are used to determine whether you will use SAF Security or LDAP-based authentication. See Security-specific Attributes under Broker Attributes. If you are using LDAP-based authentication, authorization checks are not available to you.
SECURITY=YES will load the provided LOAD module
USRSEC from the EXX970.LOAD library. This module will perform privileged
operations, such as execute the
RACROUTE, requiring APF authorization.
EntireX Security performs checks against user profiles and resource profiles represented in RACF, CA ACF2, and CA Top Secret. See Resource Profiles in EntireX Security.
For services supporting Natural RPC or other applications that use RPC,
you can perform authorization checks on the client by defining the "per
in the Broker attribute file. Setting this parameter to
YES will cause the RPC library and program names
to be appended to the profile associated with the authorization check. The
resource profile would then appear as follows:
If the total length of the resource profile exceeds 80 bytes, increase
This check applies only to the client and not the server.
CLIENT-RPC-AUTHORIZATION=YES should not be set
for any services which do not utilize RPC protocol.
Natural Security performs its resource authorization checks as follows:
To allow conformity with Natural Security, the
CLIENT-RPC-AUTHORIZATION parameter can optionally be defined
with a prefix character as follows:
If you use the trusted user ID option, set the parameter
TRUSTED-USERID=YES in the
DEFAULTS=SECURITY section of the attribute file.
The trusted user ID feature automatically acquires the identity of the logged-on user or batch job. It must therefore only be used with TP monitors running under the control of RACF, CA ACF2 or CA Top Secret. Batch jobs must run under an identifiable user ID, as inherited by the job submitter, scheduler, or other means.
Applications using the trusted user ID feature must execute under z/OS and on the same machine, or another z/OS machine connected to Broker through Entire Net-Work. Communication is through the Adabas SVC mechanism.
Applications must not assign a password to the ACI control block if
they intend to use trusted user ID. This applies to all applications, including
EntireX RPC Server. If the
application cannot avoid supplying a password, it is permissible to assign a
password value of
EntireX Security trusted user ID functionality is relevant only for determining the z/OS user ID associated with applications executing on z/OS which communicate with EntireX Broker, which are also executing on z/OS via the Adabas SVC mechanism. It cannot be used in configurations which include application components executing on separate, non-z/OS computers that communicate with EntireX Broker through Entire Net-Work. Such configurations invalidate the usage of trusted user ID.
The SVCSAF module is supplied with EntireX. If your Adabas version is lower than 8.2, the resulting Adabas SVC must be linked into an APF authorized library. Since Adabas 8.2, the SAF component is linked to ADASVC by default. Linkage example:
//*------------------------------------------------------- //* CREATE A NEW ADASVC MODULE THAT INCLUDES SVCSAF MODULE //*------------------------------------------------------- //LNKSVC EXEC PGM=IEWL,PARM='XREF,LIST,LET,NCAL,RENT,REUS' //SYSPRINT DD SYSOUT=* //SYSUT1 DD SPACE=(CYL,(1,1)),UNIT=VIO //WALLIB DD DISP=SHR,DSN=WAL826.LOAD ADASVC and SVCSAF //SYSLMOD DD DISP=SHR,DSN=WAL826.NEW.LOAD NEW ADASVC OUTPUT //SYSLIN DD * MODE AMODE(31),RMODE(24) INCLUDE WALLIB(ADASVC) SETCODE AC(1) INCLUDE WALLIB(SVCSAF) NAME ADASVC(R) /* //*
Implementing the SAF trusted user ID option in EntireX Security under
CICS TS version 1.2 and above requires the installation of the Adabas task
related user exit (ADATRUE) and setting either the ADAGSET or LGBLSET
(depending upon the Adabas version) parameter
See Installing Adabas with TP Monitors in the Adabas installation documentation for complete details
on installing ADATRUE. Samples of the ADAGSET and LGBLSET parameter modules can
be found in the library WAL826.SRCE.
For additional supporting information, see the Installation Procedure section of the Adabas Installation Manual.
To build language-specific messages
Copy the template message module EXX970.SRCE(NA2MSG0) to another member - for example, EXX970.SRCE(NA2MSG9) - and then modify the message texts to suit your own language requirements.
NA2MSG0, NA2MSG1, and NA2MSG2 are reserved names.
Assemble and link your modified source module using the sample JCL EXX970.SRCE(SAGJ106), ensuring that you create a unique load module in the EXX970.LOAD library.
ERRTXT-MODULE parameter in the
of the attribute file to reflect the name of your unique load module.
The Broker must be restarted to pick up changes to the Broker attribute file and to initialize Broker kernel under z/OS to perform security checks.
Basic installation of EntireX Security for Broker kernel is now complete.
This section describes the steps for installing EntireX Security for Broker stub under z/OS. The installation consists of the following steps:
SENDbuffer after issuing the
SENDcommand, since the contents of the
SENDbuffer will be encrypted when sending more than 32 KB of data. We recommend you code all applications so that you do not rely on the contents of the
SENDbuffer after calling Broker. This will be required in the future for all
SENDcommands regardless of whether the data exceeds 32 KB. Therefore, the application's
SENDbuffer must not be in read-only memory, where encryption is activated.
These steps are not required if you are running your application(s) at ACI version 8 or above.
The SAFCFG configuration module is required for applications running on z/OS using ACI version 7 or below.
To assemble the SAFCFG configuration module
Run job WALvrs.JOBS(SAFI010), which assembles and links SAFCFG (load module).
This module comes with preconfigured defaults. See source module WALvrs.SRCE(SAFCFG). If encryption is required, set the macro assembly parameter as follows:
For applications running on z/OS using ACI 7 or below, the Broker stub
security component must be linked with the following stubs:
To link the Broker stub security component
Relink all applications that contain ACI stub modules
MPPETB to include the following modules:
NA2PETS Broker security stub logic module
SAFCFG System parameter module
Location of sample
These components are needed for backward compatibility if your applications issue any commands using ACI version 7 or below. Applications using ACI version 8 or above do not require these additional components in the stubs.
For ACI version 7 or below, these components must be added to the stub environment utilized by the application. Failure to link these components along with the stub when using ACI version 1 though 7 can result in message "SEFM225 MESSAGE FROM BACK LEVEL STUB" being issued by Broker kernel.
SECUEXIT must be made available for applications running on z/OS using
ACI version 7 or below.
SECUEXIT in library EXX970.LOAD so that it
is available to applications running the IBM C stub.
SECUEXIT is available in EXX970.LOAD for all
Installation of EntireX Security for Broker stubs is now complete. Now you can install the security components for the Broker stubs on the remaining operating systems where your application components are located.
See also Setting up EntireX Security for Broker Stubs under UNIX | Windows.