SirSafe control of access to passwords

The Model 204 system manager uses the LOGCTL command to maintain database passwords in CCASTAT. Then SirSafe maps the individual file and group entries in CCASTAT into resources that may be controlled by a system security manager, such as RACF. Judicious use of naming standards simplifies the division of responsibility between the Model 204 system manager and a system security officer.

Overview

When SirSafe is active, it alters the process of verifying passwords for Private and Semipublic files and groups. When CCASTAT is scanned for a matching password during the file or group open process, an additional step is added for each entry that matches the password entered by the end-user. Before the access rights associated with the entry are granted, a system security manager is used to verify that the user has READ access to that entry in CCASTAT. If the user doesn't have READ access, the entry is skipped, and CCASTAT processing continues as if the passwords did not match. Thus, an end user could know a password, but be denied its use.

File or group password entries with the same password and different privileges can be used to implement very flexible security schemes. Password entries conveying "strong" access rights should be entered into CCASTAT with index characters that collate low, such as blank or A. An entry with the same password and weaker privileges (like read-only) could follow with a higher collating index, such as 1. Then the same password could give two different users different access rights, depending upon rules enforced by a system security manager.

SirSafe also enhances control over when an end user is allowed to change the password for a particular file or group CCASTAT entry. Whenever Model 204 prompts for a password, the end user may enter the password value, followed by a colon (:) and a replacement password value. If the password is matched, then the replacement password value may be used to overlay the password value in the CCASTAT entry. Without SirSafe, a particular end user must be authorized to change all file or group passwords or to change none.

SirSafe adds another level of checking before end users are allowed to change a file or group password. The end user must first have READ access to the particular CCASTAT entry, then if a replacement password value was provided, SirSafe checks for WRITE access to the CCASTAT entry. If the end user has WRITE access, the password is updated. Otherwise, the update request is rejected. This facility can prevent the accidental updating of a password shared by many people.

Model 204 Security Environments

Use of SirSafe requires an active Model 204 Security Environment. A Security Environment consists of:

An interface between Model 204 and a particular security manager
Certain security parameters that are specific to the interface

Detailed information about how to install and configure a security interface for Model 204 can be found in the Model 204 security interfaces pages.

Each of the security manager interfaces supported by Model 204 implements a default set of parameters, and it also provides a facility for customizing parameters that can be selected by the SECPLIST User 0 parameter. In order to determine if a particular Online is operating under the control of a security manager, and to determine the specific parameters in effect, you can login as a system manager and execute the following command:

AUTHCTL VIEW

If an interface is active, AUTHCTL VIEW identifies it and list its current parameters. SirSafe adapts a parameter from each type of interface to form the High Level Qualifier (HLQ) used for mapping CCASTAT entries into virtual data set names. The parameter used for each interface and the interface defaults are as follows:

Interface type	Description and HLQ source
RACF	Now known as the IBM Security Server, RACF is an IBM Program product. The HLQ parameter is `GROUP`, which has a default value of `M204RACF`.
TOPSECRET	CA-Top Secret is marketed by Computer Associates. The HLQ parameter is `ACID`, which has a default value of `M204TOPS`.
ACF2	CA-ACF2 is marketed by Computer Associates. The HLQ is formed by appending the value of the `RESOURCE` field to the constant `R`. Thus, the default is `R204`.

Mapping CCASTAT entries to data sets

SirSafe maps each file or group entry in CCASTAT to a corresponding data set name. When an end-user needs to access a particular CCASTAT entry (for example, the entry contains a match for a file or group open password entered by the user), the active Model 204 security interface is used to determine if the data set corresponding to that CCASTAT entry could be read (or written) by the user. Note that no attempt is made to open the particular data set, and the data set does not need to exist.

The data set names used by SirSafe for verifying CCASTAT access have four levels:

The High Level Qualifier is determined by the active Model 204 security interface as previously described.
The second qualifier is the string FILE or GROUP, depending upon whether a file or group is being opened.
The third level is the name of the file or group.
The final level is determined by the index character for the current CCASTAT entry. It will contain the constant string INDEX, followed by the actual index character, if it is alphanumeric, or else by the two-character hexadecimal representation of the index character.

The following example shows the data set names used by SirSafe to check access for some corresponding file password entries, assuming that the RACF interface is active with the default RACF Control Group Name (M204RACF):

file index corresponding "dataset" name :ALANPROC ... M204RACF.FILE.ALANPROC.INDEX40 :ALANPROC A ... M204RACF.FILE.ALANPROC.INDEXA :ALANPROC 1 ... M204RACF.FILE.ALANPROC.INDEX1 :ASDF ... M204RACF.FILE.ASDF.INDEX40 :BACKUP ... M204RACF.FILE.BACKUP.INDEX40

SirSafe modes for CCASTAT

SirSafe is controlled by parameters contained in a special CCASTAT entry maintained by the AUTHCTL system manager command (see AUTHCTL A SIRSAFE). The special entry includes a list of allowed security environments and a SirSafe mode specification as follows:

OPTIONAL

A CCASTAT that is set to OPTIONAL mode may be used by any Model 204 load module, with or without SirSafe support and regardless of the current security environment.

However, SirSafe will only control access to file and group entries in an optional CCASTAT when the current security environment matches one of those specified in the special SirSafe entry.

Note: OPTIONAL mode only activates a subset of the SirSafe functionality.

REQUIRED

A CCASTAT that is set to REQUIRED mode may only be opened by a Model 204 load module with SirSafe installed and with a security

environment that matches one of those specified in the special SirSafeentry.

The REQUIRED mode activates additional features of SirSafe.

The REQUIRED attribute can be used to ensure that a specific security environment is used to control access to the file and group entries in CCASTAT. This is especially important when the value of passwords is widely known and SirSafe provides the security instead of relying on secrecy.

Support of "visible" passwords

When SirSafe is REQUIRED for a CCASTAT, then no file or grouppassword can be used unless the end-user is allowed access to the CCASTAT entry containing the password. As explained earlier in this section, one benefit of this is that different end-users can be given different privileges when using the same password to open the same file or group. Another benefit is that passwords themselves can be freely shared and distributed, that is, they do not need to be kept a secret.

When SirSafe is REQUIRED for a CCASTAT, it supports so-called visible file and group passwords. Extensions to the LOGCTL, LOGFILE, and LOGGRP commands allow visible passwords to be entered, maintained, and displayed in clear text. This can greatly simplify management of multiple passwords for a particular file or group, since there is no guessing about the password value.

Ordinary (invisible) file or group passwords are maintained by the LOGCTL command, using either a colon (:) to indicate a file entry or a comma (,) to indicate a group entry. Visible entries are indicated by a different pair of special characters: The "greater than" symbol (>) indicates a visible file entry, and the "plus sign" (+) indicates a visible group entry.

The LOGFILE and LOGGRP commands are extended to display the password value for visible entries, else a field of asterisks:

LOGFILE PROCFILE >PROCFILE A THEMAN X'BFFF' 0, 0, 0, 0, 0, ALL :PROCFILE B ******** X'0761' 0, 0, 0, 0, 0, ALL >PROCFILE 4 THEMAN X'0221' 0, 0, 0, 0, 0, ALL

In the example above, there are three password table entries for the file PROCFILE. Two of them, for the same password, are visible. In this example, a user in the "file managers" group could get access to the slot associated with index character A, while everyone else could get access to the slot associated with index character 4.

Activating and deactivating SirSafe

Until version 7.5 of Model 204, SirSafe was distributed as a component of the Sirius Mods product. Thereafter, it is a member of the RKTools product.

Once SirSafe is installed, the AUTHCTL A SIRSAFE command may be used to activate SirSafe for the current CCASTAT.

Activation adds a special control entry that contains the execution parameters for SirSafe. If the REQUIRED keyword is present, the version number of CCASTAT will be altered. This prevents the CCASTAT from being opened by Model 204 load modules without SirSafe support or without the proper security environment.

For example, the following command would activate SirSafe as REQUIRED and usable only with RACF, using the default value for the GROUP parameter:

AUTHCTL A SIRSAFE REQUIRED MVSRW RACF=M204RACF

The contents of the SirSafe special entry may be displayed by the AUTHCTL LIST SIRSAFE command. The current SirSafe parameters can be replaced using the AUTHCTL C SIRSAFE command, or deleted using the AUTHCTL D SIRSAFE command.

Note: If any visible passwords have been stored, they must all be deleted before the SirSafe environment can be deleted or changed from REQUIRED to OPTIONAL.

Identifying file/group CCASTAT entries

Most Model 204 password tables contain a jumble of entries that have accumulated over time. Frequently a system manager just adds a new password when emergency access is required for a file. Without visible passwords, it is very easy to lose track of which password corresponds to a particular index character. Confusion is especially likely when a password is added that has the same value as one that occurs earlier in the collating sequence.

SirSafe implements an extension to the LOGFILE and LOGGRP commands that allows the Model 204 system manager to create a map of the relationship between password values and index characters. It can also be used to identify password entries that have duplicate password values.

The PWDLOCATE keyword can be used with the LOGFILE or LOGGRP command to cause the system to prompt the user for a password value to be "ANDed" with the other search conditions. The PWDLOCATE option could be used to diagnose a problem concerning a failure to achieve the desired access: Suppose a System Manager added a password with the value WRITE with index character A, but the user reports the password "didn't work." LOGCTL shows the following:

logfile alanproc :ALANPROC ******** X'0201' 0, 0, 0, 0, 0, ALL :ALANPROC A ******** X'BFFF' 0, 0, 0, 0, 0, ALL :ALANPROC 1 ******** X'0CCC' 0, 0, 0, 0, 0, ALL

You could use the PWDLOCATE option to identify all of the password entries that have the password value WRITE:

logfile pwdlocate alanproc *** M204.0347: PASSWORD :ALANPROC ******** X'0201' 0, 0, 0, 0, 0, ALL :ALANPROC A ******** X'BFFF' 0, 0, 0, 0, 0, ALL

This example shows that the CCASTAT entry for file ALANPROC with the blank index character also has the password value WRITE, and because it occurs first in the collating sequence, it is being used.

For more information about the PWDLOCATE option, see Selecting entries by password.

Moving file/group CCASTAT entries

Because SirSafe controls access to individual file or group entries in CCASTAT, the index character for a password entry is very important. Naming conventions should be used to enable a few generic dataset rules to cover many files and groups.

A good convention to start with includes the following:

Reserve the blank character for system manager emergency use.
Reserve a few other low-collating characters (like A through E) for mapping unrecognized passwords, so "warning rules" can be used to identify their users.
Reserve the next few characters (like F through H) for all high-power file management passwords.
Reserve index characters that collate high, like numeric digits, for less-powerful, "public" passwords.

Most Model 204 password tables contain entries that were allocated in a haphazard fashion with no particular order. In order to assist with a migration to a more orderly structure, SirSafe implements a facility for copying a file or group password entry from its current slot to a slot with a different index character. The LOGCTL R command is used to copy the identified file or group CCASTAT entry. If the specified entry is located, the user is prompted for the index character to be used for the copy:

logctl r :procfile *** M204.0374: ENTER INDEX CHARACTER FOR REPLICATE 4 >PROCFILE 4 ******** X'BFFF' 0, 0, 0, 0, 0, ALL *** M204.0376: PARAMETERS ACCEPTED *** M204.0345: CCASTAT UPDATED

Note: The sequence of LOGCTL R followed by LOGCTL D moves a file or group entry in CCASTAT.

Enhanced SECURE command

SirSafe extends the SECURE command so that a file or group can be set to open only when SirSafe is active (that is, the CCASTAT mode may be OPTIONAL or REQUIRED, but there must be a valid security environment). This provides an easier-to-manage facility for helping to avoid exposures to counterfeited password tables. This facility is activated with the following command:

SECURE FILE SIRSAFE

The CCASTAT modes are described in SirSafe modes for CCASTAT, and the security environment is described in Model 204 Security Environments.