C H A P T E R 8 |
Sun MTP Secure |
This chapter provides an overview of external security and describes Sun MTP Secure, the interface to external security management (ESM) software. The topics include:
External security management enables Sun MTP to provide security functionality beyond SNT-based authentication and transaction-level security (TSL). User authentication through an ESM enables use of better alternatives to a region's SNT, such as an LDAP directory or other centralized global repository and single sign-on support. Access control through an ESM provides resource-level security (RSL) of all Sun MTP resources, including VSAM files, application programs, and terminals, as well as transactions.
An ESM provides for modeling of security rules that typically support grouping of users and resources into roles, each with the permissions required to support the company's security policy.
This procedure describes at a high level the tasks you must perform to implement an ESM for a region.
1. Define a security policy for your application environment.
This policy will probably be developed in conjunction with your site's security administrator. The policy should define all the security requirements for your application.
3. Configure the ESM software.
4. Make sure that the ESM security repository is configured.
5. Set up the region (these tasks can be done at the same time as the previous ones):
a. Define the default user in the Sign-on Table (SNT).
b. Define any pre-defined terminals in the Terminal Control Table (TCT) and SNT.
c. In the region setup file, set any ESM environment variables.
d. In the region setup file, set the Sun MTP Secure environment variables.
Refer to the Sun Mainframe Transaction Processing Software Configuration Guide for descriptions of these variables.
7. Execute the new setup file to set the region's environment to use Sun MTP Secure with the ESM.
Sun MTP Secure provides an interface between a region and the following external security management implementations:
Sun MTP Secure utilizes the ESM to support:
User authentication during sign-on. When a user signs on with the CESN sign-on transaction or with the EXEC CICS SIGNON command, Sun MTP Secure authenticates the user name-password pair with the external security manager rather than with an SNT entry. Use of CSSN for sign-on is not (directly) supported when utilizing an ESM, since the SNT is not required. If an SNT is configured, and CSSN is used to provide a matching operator name, the ESM will be used to authenticate using the SNT's corresponding user ID and supplied password. However, this is not recommended, since it requires maintaining operator name/user ID pairs in an SNT that corresponds to the ESM repository
Access control of region resources, including VSAM files, application programs, and queues. When transactions access resources, a resource check is issued through Sun MTP Secure to the external security manager to determine if the user running the transaction is authorized to do so. Sun MTP Secure also provides an option to add a prefix to its resource names checked with the ESM.
Note - The security-related fields in the PCT, the SNT's Security/Accounting screen, and the SIT are ignored if Sun MTP Secure is enabled. |
Sun MTP Secure also supports resource access control for non-authenticated connections by use of a default userid. That userid would be configured on the ESM repository with permissions to all resources deemed non-protected by the company security policy, and would include permissions to run the sign-on transaction CESN, at least. Sun MTP Secure requires an SNT entry containing that userid and its password. That userid is identified to the region by the KIXSECDFLTUSER environment variable, and is authenticated with the ESM during region startup.
Sun MTP Secure also supports preset terminal security, which allows a terminal, such as a printer, to run STARTed or triggered transactions using that configured userid for its resource permissions. Sun MTP Secure requires that those userids also be configured with passwords in the SNT; those are also then authenticated with the ESM during region startup.
To enable any external security management system you must enable Sun MTP Secure by setting the KIXSEC environment variable to YES in the region setup file. This enables resource checking for all region resources and user authentication through the ESM.
You can selectively disable resource checking for a resource type by setting its environment variable to NO. For example, setting KIXTSTSEC=NO in the region's setup file will disable checking for temporary storage files. Refer to the section on Sun MTP Secure environment variables in the Sun Mainframe Transaction Processing Software Configuration Guide.
Prior to starting a region with Sun MTP Secure enabled, you must configure a default user name and password and the predefined TCT user names and passwords in the SNT.
There is no validated user name identified with the connection if a connection to a region is made other than through the UNIX client, or as a sign-on with the CESN transaction or EXEC CICS SIGNON, or the connection has been signed off with the CESF transaction or EXEC CICS SIGNOFF. In this situation, Sun MTP Secure uses the default user name defined in the KIXSECDFLTUSER environment variable.
The default user name and password are authenticated through Sun MTP Secure with the external security manager during region startup. If the default user name and password cannot be authenticated, the region is not allowed to execute and unikixmain terminates.
When Sun MTP Secure is enabled, the user names predefined in the TCT are authenticated with the external security manager during startup. The user names must be configured with the correct password in the SNT. This is the same requirement for the default user name described above. If the user name and password fail authentication, the region is not allowed to execute and unikixmain terminates.
To Configure User Names and Passwords |
1. Set the environment variable KIXSEC=NO to disable security checking.
3. Add the user names and passwords to the SNT and corresponding user names to the required TCT entries.
Refer to the Sun Mainframe Transaction Processing Software Reference Guide.
5. Set the environment variable KIXSEC=YES to enable security checking.
6. Set the KIXSECDFLTUSER environment variable to the default user ID.
There are several communication paths that do not provide for, or require user sign-on to a region. All transactions using these communication paths are associated with the default user name, unless other user validation is provided, or the terminal used is one of those predefined in the TCT. Use of the default user name allows the Security Administrator to limit access to transactions or resources.
Note - The default user name is used for all transactions on all communications paths after a CESF/CSSF or EXEC CICS SIGNOFF for that user's terminal. |
The Sun MTP Secure resource class types are listed in the following table. These resource class types correspond to the resource types defined in Sun MSF's security repository.
VSAM files. Controls who is allowed to access specified VSAM files. |
||
Sun MTP applications. Controls access to specified programs that an application invokes using a LINK, XCTL, or LOAD command. |
||
Sun MTP journals. Controls who is allowed to access specified journals. |
||
Subset of Sun MTP administrative commands that are subject to command security checking. Controls who is allowed to access specified administrative commands, as defined in TABLE 8-4. |
||
Started transactions. Controls who is allowed to EXEC CICS START the specified transactions. |
||
Terminal attached transactions. Controls who is allowed to submit specified transactions from a terminal. |
||
Sun MTP extrapartition and intrapartition transient data destinations, also known as transient data queues (TDQs). Controls who is allowed to access the specified TDQ names. |
||
Temporary storage destinations. Controls who is allowed to access the specified temporary storage queue names. |
||
Sun MTP terminals. Controls who is allowed to use the specified terminal names. |
||
Region you want to control access to. The value is the region's $KIXSYS directory path name. Controls who can start, terminate, and execute the region. |
The access rights for each user, including the default user, $KIXSECDFLTUSER, are configured with the ESM by defining access permissions (read, write, execute, etc.) for the region's resource classes: transactions, VSAM files, transient data, temporary storage queues, terminals, journals, and programs.
When a region uses Sun MTP Secure, the security key fields in the SNT and PCT are ignored. Instead, each user name and password is configured with the ESM. If a corresponding SNT entry is configured for that user name, other fields such as the operator name, operator id, and operator class, are copied into the TCT when the user signs on and is validated through Sun MTP Secure. These fields correspond to what IBM's RACF provides in its CICS Extension record.
Note - SNT entries are not required for each Sun MTP user; if no entry exists for that user name, those TCT fields are left empty. |
This user name is then used for security checking for each transaction submitted by the user, and for each resource accessed by that transaction. For example, with terminal-attached transaction security enabled (KIXPCTSEC=YES),when the user submits a transaction, the transaction name (Trans ID) in the PCT, is submitted with the KIX-ATTACH-TRANS resource class, along with the user name to the external security manager through Sun MTP Secure.
If Sun MTP Secure then received a denial from the ESM for that user access to that transaction, the TRANSACTION NOT AUTHORIZED FOR USER message is displayed.
If the user wants to sign on as a different user with different privileges, the user can enter the CESN transaction with a valid user name and password.
If there is no validated user name identified with the user's connection, the region uses the default user name defined in the KIXSECDFLTUSER environment variable. The access rights for that default user name are configured with the ESM. For more information about $KIXSECDFLTUSER, refer to the section on Sun MTP Secure environment variables in the Sun Mainframe Transaction Processing Software Configuration Guide.
Note - When terminal-attached transaction security is enabled (KIXPCTSEC=YES), the required permissions for all the Sun MTP system transactions must be set in the ESM's security repository. See Security for Sun MTP System Transactions. |
When a region uses Sun MTP Secure, you can control the access to the resources by transactions as well as access to those transactions. These resources are configured with the external security manager by their identity within predefined resource class types. You can also selectively disable and enable access checking by resource class type with corresponding Sun MTP Secure environment variables.
The region calls Sun MTP Secure for each resource access, presenting its name, resource class, the user name running the transaction, and the access permission required. The required permission for each access operation is illustrated in the following table.
STARTBR[1] |
||
The following table describes the required access permission for the remaining Sun MTP Secure resource classes.
VSAM file access control through the KIX-FILES resource class also controls batch program access (unikixvsam), the VSAM file utilities unikixbld and kixfile, as well as Sun MBM program access through the rtsvsam and sortx utilities.
Users are granted or denied access to VSAM files for these facilities by the same permissions specified for KIX-FILES access for transactions. However, the user name associated with the batch job submitted through the batch server or the CBCH command, but not Sun MBM, is the user name that started that region (kixstart or unikixmain). The user name associated with a Sun MBM job is the user that submits the job. Therefore, use Sun MBM for batch job submission when using Sun MTP Secure.
The KIX-FILES resource class also controls access to the VSAM catalog, which is a VSAM dataset with the name CATALOG. By granting or denying KIX-FILES read permission on the CATALOG dataset, users are granted or denied permission to view VSAM file definitions in the VSAM catalog using the CFMS transaction. By granting or denying KIX-FILES write permission on the CATALOG dataset, users are granted or denied permission to create, delete, or modify VSAM files defined in the VSAM catalog using the CFMS transaction or the unikixbld or kixfile utilities.
The region also uses Sun MTP Secure to control access to internal administrative resources by the CEMT transaction or by applications that use the EXEC CICS INQUIRE/PERFORM/SET API. The resource class that represents these administrative commands is KIX-COMMANDS. The following table maps the resource names for the KIX-COMMANDS class to specific EXEC CICS and CEMT operations. Note that all INQUIRE functions require read permission and all SET functions require write permission. Most of these commands are common to both EXEC CICS and CEMT interfaces; but where they are unique to an interface, they are prefaced with either EXEC CICS or CEMT.
CEMT PERFORM SHUTDOWN[2] |
||
Point-of-entry security permits or denies users of a particular Sun MTP region and specific terminal name access to a region.
The UNIX-APPLS resource class can be configured with the ESM to permit or deny users access when attempting to connect to a particular region, based on its $KIXSYS value. The ESM also validates that the user is permitted to use the terminal name that was specified or acquired for that connection by that user. The
KIX-TERMINALS resource class is configured with the ESM to permit or deny a set of users access to a specific terminal name.
You can disable UNIX-APPLS resource checking by setting the KIXAPPSEC environment variable to NO. Refer to the Sun Mainframe Transaction Processing Software Configuration Guide for information about the Sun MTP Secure environment variables.
The ESM validates that a user has permission on the UNIX-APPLS resource to either start or terminate that region. If the user does not have permission to start the region with the kixstart command, the following message is displayed:
Note - Only the user name that started Sun MTP can run kixclean, not any user with UNIX-APPLS permission for that region. |
Sun MTP Secure provides for the prefixing of all resource names as an option. If there are several Sun MTP regions being managed by the same ESM, it might be necessary or desirable for the resources of each region to be uniquely qualified in this manner. for example, users A, B, and C might have permission to access the PAYROLL dataset in the Test region, but might not have permission to the dataset in the Prod region, because the datasets are actually two different VSAM files.
Prefixing is enabled with the KIXSECPREFIX environment variable. If set to YES, all resource names are prefixed with the region's application name as defined in the SIT.Using the example of the PAYROLL dataset described earlier, users A, B, and C would be checked by the ESM and could be authorized access to the TestPAYROLL dataset, but denied access to the ProdPAYROLL dataset, as configured on the ESM repository.
Sun MTP Secure will record the results of ESM logons and access checking in the region's unikixmain.log file. The type of results written is defined in the KIXSEC_LOGGING environment variable. Setting this environment variable to ALL will log all ESM results, both success and failure. Setting the variable to DENIALS will log only ESM denial results. A setting of NONE will disable logging.
Note - This logging is in addition to any ESM audit logging, and is useful for tracking audit events for a specific region, which might not be visible in the ESM logs. |
When an external security manager is in use, as the user attempts to access various resources, the results of those access attempts are stored in a region's area of cache memory referred to as a results cache. The results cache is used for subsequent accesses to the same resource, thereby expediting access. This cache area is not cleared when a user logs off.
If the rules in the security repository change and those rules affect the users of a region, the following system transaction should be executed. It will clear the region's results cache thus causing the new rules to be inquired as a user attempts to access resources.
Copyright © 2004, Sun Microsystems, Inc. All rights reserved.