eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
Share Embed Flag
Download ePaper

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

supportconnectw.ca.com
from supportconnectw.ca.com More from this publisher
12.07.2015 Views

InfoPrint Server for z/OS and OS/390 (z/OS and OS/390 Print Server)In addition, if you are securing daemon authority, the TELNET server ID musthave the following permission:TSS PER(OMVSKERN) IBMFAC(BPX.DAEMON)InfoPrint Server for z/OS and OS/390 (z/OS and OS/390 PrintServer)The z/OS and OS/390 Print Server available with OS/390 V2R5 allowed forconsolidation of print files from multiple servers into one central server. AtOS/390 V2R8, the Print Server was renamed to InfoPrint Server for z/OS andOS/390. Control of the resources defined under the Print Server requires thedefinition of two groups: AOPOPER and AOPADMIN. These are IBM defaults.AOPOPER is the operator group with authority to start and stop the printinterface. AOPADMIN provides authority to administer the printer inventoryand controls. If the separation of authority is not necessary, then one group namecan be defined for both functions.Use the following steps to define the security environment for eTrust CA-TopSecret:TSS CRE(AOPADMIN) TYPE(GROUP) NAME('PRINT SERVER') DEPT(dept)TSS ADD(AOPADMIN) GID(6)TSS ADD(admin acid) GROUP(AOPADMIN)TSS CRE(AOPER) TYPE(GROUP) NAME('PRINT SERVER') DEPT(dept)TSS ADD(AOPER) GID(7)TSS ADD(acid) GROUP(AOPER)TSS ADD(JDCSYS) IBMFAC(AOPADMIN)TSS PERMIT(dept acid) IBMFAC(AOPADMIN) ACCESS(ALL)WebSphere Application Server for z/OS AND OS/390WebSphere for z/OS supports access to resources by clients and servers in adistributed network. Part of your security strategy should be to determine howto control access to these resources and prevent inadvertent or maliciousdestruction of the system or data.1–36 Cookbook

WebSphere Application Server for z/OS AND OS/390These are the pieces in the distributed network that you must consider:■■■■You must authorize servers to the base operating system services in z/OS orOS/390. These services include eTrust CA-Top Secret security, databasemanagement, and transaction management.For the servers, you must distinguish between control regions and serverregions. Control regions run authorized system code, so they are trusted.Server regions run application code and are given access to resources, so youshould carefully consider the authorizations you give server regions.You must also distinguish between the level of authority given to run-timeservers compared to your own application servers. For example, the SystemManagement server needs the authority to start other servers, while yourown application servers do not need this authority.You must authorize clients (users) to servers and objects within servers. Thecharacteristics of each client requires special consideration:- Is the client on the local system or is it remote? The security of thenetwork becomes a consideration for remote clients.- Will you allow unidentified (unauthenticated) clients to access thesystem? Some resources on your system can be intended for publicaccess, while others must be protected. In order to access protectedresources, clients must establish their identities and have authorizationto use those resources.- What kind of objects will the client access? Enterprise beans and CORBAobjects have differing authorization mechanisms.If you must protect resources, identifying who accesses those resources is critical.Thus, any security system requires client (user) identification, also known asauthentication. In a distributed network supported by WebSphere for z/OS,clients can be accessing resources from:■■■■Within the same system as a serverWithin the same sysplex as the serverRemote z/OS or OS/390 systemsHeterogeneous systems, such as WebSphere on distributed platforms, CICS,or other CORBA-compliant systems.Additionally, clients can request a service that requires a server to forward therequest to another server. In such cases the system must handle delegation, theavailability of the client identity for use by intermediate servers and targetservers.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–37

WebSphere Application Server <strong>for</strong> z/<strong>OS</strong> AND <strong>OS</strong>/390These are the pieces in the distributed network that you must consider:■■■■You must authorize servers to the base operating system services in z/<strong>OS</strong> or<strong>OS</strong>/390. These services include <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> security, databasemanagement, <strong>and</strong> transaction management.For the servers, you must distinguish between control regions <strong>and</strong> serverregions. Control regions run authorized system code, so they are trusted.Server regions run application code <strong>and</strong> are given access to resources, so youshould carefully consider the authorizations you give server regions.You must also distinguish between the level of authority given to run-timeservers compared to your own application servers. For example, the SystemManagement server needs the authority to start other servers, while yourown application servers do not need this authority.You must authorize clients (users) to servers <strong>and</strong> objects within servers. Thecharacteristics of each client requires special consideration:- Is the client on the local system or is it remote? The security of thenetwork becomes a consideration <strong>for</strong> remote clients.- Will you allow unidentified (unauthenticated) clients to access thesystem? Some resources on your system can be intended <strong>for</strong> publicaccess, while others must be protected. In order to access protectedresources, clients must establish their identities <strong>and</strong> have authorizationto use those resources.- What kind of objects will the client access? Enterprise beans <strong>and</strong> CORBAobjects have differing authorization mechanisms.If you must protect resources, identifying who accesses those resources is critical.Thus, any security system requires client (user) identification, also known asauthentication. In a distributed network supported by WebSphere <strong>for</strong> z/<strong>OS</strong>,clients can be accessing resources from:■■■■Within the same system as a serverWithin the same sysplex as the serverRemote z/<strong>OS</strong> or <strong>OS</strong>/390 systemsHeterogeneous systems, such as WebSphere on distributed plat<strong>for</strong>ms, CICS,or other CORBA-compliant systems.Additionally, clients can request a service that requires a server to <strong>for</strong>ward therequest to another server. In such cases the system must h<strong>and</strong>le delegation, theavailability of the client identity <strong>for</strong> use by intermediate servers <strong>and</strong> targetservers.Implementing <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> in a z/<strong>OS</strong> or <strong>OS</strong>/390 Environment 1–37

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!