JAL: /* Model 204 Security Environments */ add link

2016-12-07T20:31:19Z

Model 204 Security Environments: add link

← Older revision		Revision as of 20:31, 7 December 2016
Line 52:		Line 52:
	Each of the security manager interfaces supported by <var class="product">Model 204</var> implements a		Each of the security manager interfaces supported by <var class="product">Model 204</var> implements a
	default set of parameters, and it also provides a facility for customizing		default set of parameters, and it also provides a facility for customizing
	parameters that can be selected by the <~~code~~>SECPLIST</~~code~~> User 0 parameter.		parameters that can be selected by the <var>[[SECPLIST parameter\|SECPLIST]]</var> User 0 parameter.
	In order to determine if a particular Online is operating under the control of a		In order to determine if a particular Online is operating under the control of a
	security manager, and to determine the specific parameters in effect, you can		security manager, and to determine the specific parameters in effect, you can login as a system manager and execute the following command:
	login as a system manager and execute the following command:
	<p class="code">AUTHCTL VIEW		<p class="code">AUTHCTL VIEW
	</p>		</p>
Line 66:		Line 65:

	<tr><th>RACF</th>		<tr><th>RACF</th>
	<td>Now known as the IBM Security Server, RACF is an IBM Program product. The HLQ parameter is <code>GROUP</code>, which has a default value of "M204RACF".</td></tr>		<td>Now known as the IBM Security Server, RACF is an IBM Program product. The HLQ parameter is <code>GROUP</code>, which has a default value of <code>M204RACF</code>.</td></tr>

	<tr><th>TOPSECRET</th>		<tr><th>TOPSECRET</th>
	<td>CA-Top Secret is marketed by Computer Associates. The HLQ parameter is <code>ACID</code>, which has a default value of "M204TOPS".</td></tr>		<td>CA-Top Secret is marketed by Computer Associates. The HLQ parameter is <code>ACID</code>, which has a default value of <code>M204TOPS</code>.</td></tr>

	<tr><th>ACF2</th>		<tr><th>ACF2</th>

JAL: link repair

2016-12-06T23:18:44Z

link repair

← Older revision		Revision as of 23:18, 6 December 2016
Line 169:		Line 169:
	==Activating and deactivating SirSafe==		==Activating and deactivating SirSafe==
	Until version 7.5 of Model 204, <var class="product">SirSafe</var> was distributed as a component of		Until version 7.5 of Model 204, <var class="product">SirSafe</var> was distributed as a component of
	the <var class="product">[[~~SirMods~~]]</var> product.		the <var class="product">[[Sirius Mods]]</var> product.
	Thereafter, it is a member of the [[RKTools]] product.		Thereafter, it is a member of the [[RKTools]] product.

JAL: /* Model 204 Security Environments */

2016-12-01T01:31:49Z

Model 204 Security Environments

← Older revision		Revision as of 01:31, 1 December 2016
Line 42:		Line 42:
	A Security Environment consists of:		A Security Environment consists of:
	<ul>		<ul>
	<li>An <code>interface</code> between <var class="product">Model 204</var>		<li>An <code>interface</code> between <var class="product">Model 204</var> and a particular security manager </li>
	and a particular security manager </li>

	<li>Certain <code>security parameters</code> that are specific to the interface </li>		<li>Certain <code>security parameters</code> that are specific to the interface </li>
Line 49:		Line 48:
	Detailed information about how to install and configure a security interface for		Detailed information about how to install and configure a security interface for
	<var class="product">Model 204</var> can be found in the		<var class="product">Model 204</var> can be found in the
	[[Security interfaces overview\|Model 204 security interfaces]] pages.		[[Security interfaces overview\|Model 204 security interfaces]] pages.

	Each of the security manager interfaces supported by <var class="product">Model 204</var> implements a		Each of the security manager interfaces supported by <var class="product">Model 204</var> implements a

Admin: 1 revision: SirSafe pages

2016-11-30T21:32:41Z

1 revision: SirSafe pages

← Older revision	Revision as of 21:32, 30 November 2016
(No difference)

JAL: link repair

2016-11-30T21:08:00Z

link repair

New page

The <var class="product">Model 204</var> system manager uses the <var>[[SirSafe command and function reference#logctl enhancements|LOGCTL]]</var> command to maintain database passwords in [[Storing security information (CCASTAT)|CCASTAT]].
Then <var class="product">SirSafe</var> maps the individual file and group entries in CCASTAT into resources that may be controlled
by a system security manager, such as RACF.
Judicious use of naming standards simplifies the division of responsibility
between the <var class="product">Model 204</var> system manager and a system security officer.

==Overview==
When <var class="product">SirSafe</var> is active, it alters the process of verifying passwords for Private and Semipublic files and groups.
When CCASTAT is scanned for a matching password during the file or group open process,
an additional step is added for each entry that matches the password entered by the end-user.
Before the access rights associated with the entry are granted, a system security manager is
used to verify that the user has <code>READ</code> access to that entry in CCASTAT.
If the user doesn't have <code>READ</code> access, the entry is skipped, and CCASTAT processing continues as if the passwords did not match.
Thus, an end user could know a password, but be denied its use.

File or group password entries with the same password and different privileges
can be used to implement very flexible security schemes.
Password entries conveying "strong" access rights should be entered into
CCASTAT with index characters that collate low, such as blank or <code>A</code>.
An entry with the same password and weaker privileges (like read-only)
could follow with a higher collating index, such as <code>1</code>.
Then the same password could give two different users different access rights,
depending upon rules enforced by a system security manager.

<var class="product">SirSafe</var> also enhances control over when an end user is allowed to change the password for a particular file or group CCASTAT entry.
Whenever <var class="product">Model 204</var> prompts for a password, the end user may enter the password value,
followed by a colon (<tt>:</tt>) and a replacement password value.
If the password is matched, then the replacement password value may be
used to overlay the password value in the CCASTAT entry.
Without <var class="product">SirSafe</var>, a particular end user must be authorized to change all file or group passwords or to change none.

<var class="product">SirSafe</var> adds another level of checking before end users are allowed to change a file or group password.
The end user must first have <code>READ</code> access to the particular CCASTAT entry,
then if a replacement password value was provided, <var class="product">SirSafe</var> checks for <code>WRITE</code> access
to the CCASTAT entry.
If the end user has <code>WRITE</code> access, the password is updated.
Otherwise, the update request is rejected.
This facility can prevent the accidental updating of a password shared by many people.

==Model 204 Security Environments==
Use of <var class="product">SirSafe</var> requires an active <var class="product">Model 204</var> Security Environment.
A Security Environment consists of:
<ul>
<li>An <code>interface</code> between <var class="product">Model 204</var>
and a particular security manager </li>

<li>Certain <code>security parameters</code> that are specific to the interface </li>
</ul>
Detailed information about how to install and configure a security interface for
<var class="product">Model 204</var> can be found in the
[[Security interfaces overview|Model 204 security interfaces]] pages.

Each of the security manager interfaces supported by <var class="product">Model 204</var> implements a
default set of parameters, and it also provides a facility for customizing
parameters that can be selected by the <code>SECPLIST</code> User 0 parameter.
In order to determine if a particular Online is operating under the control of a
security manager, and to determine the specific parameters in effect, you can
login as a system manager and execute the following command:
AUTHCTL VIEW

If an interface is active, <var>[[SirSafe command and function reference#auctlvw|AUTHCTL VIEW]]</var> identifies it and list its current parameters.
<var class="product">SirSafe</var> adapts a parameter from each type of interface to form the High Level Qualifier (HLQ) used for mapping CCASTAT entries into virtual data set names.
The parameter used for each interface and the interface defaults are as follows:

<table class="thJustBold">
<tr class="head"><th nowrap>Interface type</th><th>Description and HLQ source</th></tr>

<tr><th>RACF</th>
<td>Now known as the IBM Security Server, RACF is an IBM Program product. The HLQ parameter is <code>GROUP</code>, which has a default value of "M204RACF".</td></tr>

<tr><th>TOPSECRET</th>
<td>CA-Top Secret is marketed by Computer Associates. The HLQ parameter is <code>ACID</code>, which has a default value of "M204TOPS".</td></tr>

<tr><th>ACF2</th>
<td>CA-ACF2 is marketed by Computer Associates. The HLQ is formed by appending the value of the <code>RESOURCE</code> field to the constant <code>R</code>. Thus, the default is <code>R204</code>.</td></tr>
</table>

==Mapping CCASTAT entries to data sets==
<var class="product">SirSafe</var> maps each file or group entry in CCASTAT to a corresponding data set name.
When an end-user needs to access a particular CCASTAT entry (for example,
the entry contains a match for a file or group open password entered by the user), the active
<var class="product">Model 204</var> security interface is used to determine if the data set corresponding to that CCASTAT
entry could be read (or written) by the user.
Note that no attempt is made to open the particular data set, and the data set does not need to exist.

The data set names used by <var class="product">SirSafe</var> for verifying CCASTAT access have four levels:
<ul>
<li>The High Level Qualifier is determined by the active <var class="product">Model 204</var>
security interface as previously described. </li>

<li>The second qualifier is the string <code>FILE</code> or <code>GROUP</code>,
depending upon whether a file or group is being opened. </li>

<li>The third level is the name of the file or group. </li>

<li>The final level is determined by the index character for the current CCASTAT entry.
It will contain the constant string <code>INDEX</code>, followed by the
actual index character, if it is alphanumeric, or else by the two-character
hexadecimal representation of the index character. </li>
</ul>

The following example shows the data set names used by <var class="product">SirSafe</var> to check access for
some corresponding file password entries, assuming that the RACF interface is active
with the default RACF Control Group Name (<code>M204RACF</code>):
file index corresponding "dataset" name
<nowiki>:ALANPROC ... M204RACF.FILE.ALANPROC.INDEX40
:ALANPROC A ... M204RACF.FILE.ALANPROC.INDEXA
:ALANPROC 1 ... M204RACF.FILE.ALANPROC.INDEX1
:ASDF ... M204RACF.FILE.ASDF.INDEX40
:BACKUP ... M204RACF.FILE.BACKUP.INDEX40
</nowiki>

==SirSafe modes for CCASTAT==
<var class="product">SirSafe</var> is controlled by parameters contained in a special CCASTAT entry
maintained by the <code>AUTHCTL</code> system manager command (see [[SirSafe command and function reference#autha|AUTHCTL A SIRSAFE]]).
The special entry includes a list of allowed security environments and
a <var class="product">SirSafe</var> mode specification as follows:

<table class="thJustBold">
<tr><th>OPTIONAL</th>
<td>A CCASTAT that is set to <var>OPTIONAL</var> mode may be used by any <var class="product">Model 204</var> load module, with or without <var class="product">SirSafe</var> support and regardless of the current security environment.
However, <var class="product">SirSafe</var> will only control access to file and group entries in an optional CCASTAT when the current security environment matches one of those specified in the special <var class="product">SirSafe</var> entry.
Note: <var>OPTIONAL</var> mode only activates a subset of the <var class="product">SirSafe</var> functionality. </td></tr>

<tr><th>REQUIRED</th>
<td>A CCASTAT that is set to <var>REQUIRED</var> mode may only be opened by a <var class="product">Model 204</var> load module with <var class="product">SirSafe</var> installed and with a security
environment that matches one of those specified in the special <var class="product">SirSafe</var>entry.
The <var>REQUIRED</var> mode activates additional features of <var class="product">SirSafe</var>.</td></tr>
</table>

The <var>REQUIRED</var> attribute can be used to ensure that a specific security environment
is used to control access to the file and group entries in CCASTAT.
This is especially important when the value of passwords is widely known
and <var class="product">SirSafe</var> provides the security instead of relying on secrecy.

==Support of "visible" passwords==
When <var class="product">SirSafe</var> is <var>REQUIRED</var> for a CCASTAT, then no file or grouppassword can be used
unless the end-user is allowed access to the CCASTAT entry containing the password.
As explained earlier in this section, one benefit of this is that
different end-users can be given different privileges when using the
same password to open the same file or group.
Another benefit is that passwords themselves can be freely shared and distributed,
that is, they do not need to be kept a secret.

When <var class="product">SirSafe</var> is <var>REQUIRED</var> for a CCASTAT, it supports so-called visible file and group passwords.
Extensions to the <var>LOGCTL</var>, <var>LOGFILE</var>, and <var>LOGGRP</var> commands
allow visible passwords to be entered, maintained, and displayed in clear text.
This can greatly simplify management of multiple passwords for a particular
file or group, since there is no guessing about the password value.

Ordinary (invisible) file or group passwords are maintained by the <var>LOGCTL</var> command, using
either a colon (<tt>:</tt>) to indicate a file entry or a
comma (<tt>,</tt>) to indicate a group entry.
Visible entries are indicated by a different pair of special characters:
The "greater than" symbol (<tt>></tt>) indicates a visible file entry, and
the "plus sign" (<tt>+</tt>) indicates a visible group entry.

The <var>LOGFILE</var> and <var>LOGGRP</var> commands are extended to display the password value for visible entries, else a field of asterisks:
LOGFILE PROCFILE
<nowiki>>PROCFILE A THEMAN X'BFFF' 0, 0, 0, 0, 0, ALL
:PROCFILE B ******** X'0761' 0, 0, 0, 0, 0, ALL
>PROCFILE 4 THEMAN X'0221' 0, 0, 0, 0, 0, ALL
</nowiki>
In the example above, there are three password table entries for the file <code>PROCFILE</code>.
Two of them, for the same password, are visible.
In this example, a user in the "file managers" group could get access to the
slot associated with index character <code>A</code>, while everyone else could get access
to the slot associated with index character <code>4</code>.

==Activating and deactivating SirSafe==
Until version 7.5 of Model 204, <var class="product">SirSafe</var> was distributed as a component of
the <var class="product">[[SirMods]]</var> product.
Thereafter, it is a member of the [[RKTools]] product.

Once <var class="product">SirSafe</var> is installed, the
<var>[[SirSafe command and function reference#autha|AUTHCTL A SIRSAFE]]</var> command may be used to activate <var class="product">SirSafe</var> for the current CCASTAT.

Activation adds a special control entry that contains the execution parameters for <var class="product">SirSafe</var>.
If the <var>REQUIRED</var> keyword is present, the version number of CCASTAT will be altered.
This prevents the CCASTAT from being opened by <var class="product">Model 204</var> load modules
without <var class="product">SirSafe</var> support or without the proper security environment.

For example, the following command would activate <var class="product">SirSafe</var> as <var>REQUIRED</var>
and usable only with RACF, using the default value for the <var>GROUP</var> parameter:
AUTHCTL A SIRSAFE REQUIRED MVSRW RACF=M204RACF


The contents of the <var class="product">SirSafe</var> special entry may be displayed by the
<var>[[SirSafe command and function reference#authlst|AUTHCTL LIST SIRSAFE]]</var> command.
The current <var class="product">SirSafe</var> parameters can be replaced using the
<var>[[SirSafe command and function reference#authc|AUTHCTL C SIRSAFE]]</var> command, or
deleted using the <var>[[SirSafe command and function reference#authd|AUTHCTL D SIRSAFE]]</var> command.
Note: If any visible passwords have been stored, they must
all be deleted before
the <var class="product">SirSafe</var> environment can be deleted or changed from <var>REQUIRED</var> to <var>OPTIONAL</var>.


==Identifying file/group CCASTAT entries==
Most <var class="product">Model 204</var> password tables contain a jumble of entries that have accumulated over time.
Frequently a system manager just adds a new password when emergency access is required for a file.
Without visible passwords, it is very easy to lose track of which password corresponds to a particular index character.
Confusion is especially likely when a password is added that has the same value
as one that occurs earlier in the collating sequence.

SirSafe implements an extension to the <var>LOGFILE</var> and <var>LOGGRP</var> commands that allows the
<var class="product">Model 204</var> system manager to create a map of the relationship between password values and index characters.
It can also be used to identify password entries that have duplicate password values.

The <var>PWDLOCATE</var> keyword can be used with the <var>LOGFILE</var> or <var>LOGGRP</var> command to
cause the system to prompt the user for a password value to be "ANDed" with the
other search conditions.
The <var>PWDLOCATE</var> option could be used to diagnose a problem concerning a failure to achieve the desired access:
Suppose a System Manager added a password with the value <code>WRITE</code> with index
character <code>A</code>, but the user reports the password "didn't work."
<var>LOGCTL</var> shows the following:
logfile alanproc
<nowiki>:ALANPROC ******** X'0201' 0, 0, 0, 0, 0, ALL
:ALANPROC A ******** X'BFFF' 0, 0, 0, 0, 0, ALL
:ALANPROC 1 ******** X'0CCC' 0, 0, 0, 0, 0, ALL
</nowiki>

You could use the <var>PWDLOCATE</var> option to identify all of the password
entries that have the password value <code>WRITE</code>:
logfile pwdlocate alanproc
<nowiki>*** M204.0347: PASSWORD
:ALANPROC ******** X'0201' 0, 0, 0, 0, 0, ALL
:ALANPROC A ******** X'BFFF' 0, 0, 0, 0, 0, ALL
</nowiki>
This example shows that the CCASTAT entry for file <code>ALANPROC</code> with the blank index character
also has the password value <code>WRITE</code>, and because it occurs first in the collating sequence, it is being used.

For more information about the <var>PWDLOCATE</var> option, see [[SirSafe command and function reference#pwdloca|Selecting entries by password]].

==Moving file/group CCASTAT entries==
Because <var class="product">SirSafe</var> controls access to individual file or group entries in CCASTAT, the
index character for a password entry is very important.
Naming conventions should be used to enable a few generic dataset rules to cover many files and groups.

A good convention to start with includes the following:
<ol>
<li>Reserve the blank character for system manager emergency use. </li>

<li>Reserve a few other low-collating characters (like A through E)
for mapping unrecognized passwords, so "warning rules" can be used to identify their users. </li>

<li>Reserve the next few characters (like F through H) for all high-power file management passwords. </li>

<li>Reserve index characters that collate high, like numeric digits,
for less-powerful, "public" passwords. </li>
</ol>

Most <var class="product">Model 204</var> password tables contain entries that were allocated in a haphazard fashion with no particular order.
In order to assist with a migration to a more orderly structure, <var class="product">SirSafe</var>
implements a facility for copying a file or group password entry from its current slot to a slot with a different index character.
The <var>[[SirSafe command and function reference#logctlr|LOGCTL R]]</var> command is used to
copy the identified file or group CCASTAT entry.
If the specified entry is located, the user is prompted for the index
character to be used for the copy:
logctl r :procfile
*** M204.0374: ENTER INDEX CHARACTER FOR REPLICATE
4
<nowiki>>PROCFILE 4 ******** X'BFFF' 0, 0, 0, 0, 0, ALL
*** M204.0376: PARAMETERS ACCEPTED
*** M204.0345: CCASTAT UPDATED
</nowiki>
Note: The sequence of <code>LOGCTL R</code> followed by <code>LOGCTL D</code> moves a file or group entry in CCASTAT. 

==Enhanced SECURE command==
<var class="product">SirSafe</var> extends the <var>[[SirSafe command and function reference#SECURE command enhancements|SECURE]]</var> command so that a file or group can be set to
open only when SirSafe is active (that is, the CCASTAT mode may be <var>OPTIONAL</var>
or <var>REQUIRED</var>, but there must be a valid security environment).
This provides an easier-to-manage facility for helping to avoid exposures to
counterfeited password tables.
This facility is activated with the following command:
SECURE FILE SIRSAFE


The CCASTAT modes are described in [[#ssmodes|SirSafe modes for CCASTAT]], and
the security environment is described in [[#msecenv|Model 204 Security Environments]].

==See also==
{{Template:SirSafe topic list}}

[[Category:SirSafe]]

SirSafe control of access to passwords - Revision history

JAL: /* Model 204 Security Environments */ add link

JAL: link repair

JAL: /* Model 204 Security Environments */

Admin: 1 revision: SirSafe pages

JAL: link repair