C H A P T E R 8

Sun MTP Secure

This chapter provides an overview of external security and describes Sun MTP Secure, the interface to external security management (ESM) software. The topics include:

Introduction to External Security Management

Integrating an ESM With Sun MTP

Using Sun MTP Secure

Introduction to External Security Management

External security management enables Sun MTP to provide security functionality beyond SNT-based authentication and transaction-level security (TSL). User authentication through an ESM enables use of better alternatives to a region's SNT, such as an LDAP directory or other centralized global repository and single sign-on support. Access control through an ESM provides resource-level security (RSL) of all Sun MTP resources, including VSAM files, application programs, and terminals, as well as transactions.

An ESM provides for modeling of security rules that typically support grouping of users and resources into roles, each with the permissions required to support the company's security policy.

Integrating an ESM With Sun MTP

This procedure describes at a high level the tasks you must perform to implement an ESM for a region.

1. Define a security policy for your application environment.

This policy will probably be developed in conjunction with your site's security administrator. The policy should define all the security requirements for your application.

2. Install the ESM software.

3. Configure the ESM software.

4. Make sure that the ESM security repository is configured.

5. Set up the region (these tasks can be done at the same time as the previous ones):

a. Define the default user in the Sign-on Table (SNT).

b. Define any pre-defined terminals in the Terminal Control Table (TCT) and SNT.

c. In the region setup file, set any ESM environment variables.

d. In the region setup file, set the Sun MTP Secure environment variables.

Refer to the Sun Mainframe Transaction Processing Software Configuration Guide for descriptions of these variables.

6. Shut down the region.

7. Execute the new setup file to set the region's environment to use Sun MTP Secure with the ESM.

8. Start the region.

Using Sun MTP Secure

Sun MTP Secure provides an interface between a region and the following external security management implementations:

The Sun MSF software. See Chapter 9.

Sun MTP-supplied security exits. See Security User Exit Routines.

Third-party external security management systems. Contact your Sun Microsystems representative for information about third-party software.

Sun MTP Secure utilizes the ESM to support:

User authentication during sign-on. When a user signs on with the CESN sign-on transaction or with the EXEC CICS SIGNON command, Sun MTP Secure authenticates the user name-password pair with the external security manager rather than with an SNT entry. Use of CSSN for sign-on is not (directly) supported when utilizing an ESM, since the SNT is not required. If an SNT is configured, and CSSN is used to provide a matching operator name, the ESM will be used to authenticate using the SNT's corresponding user ID and supplied password. However, this is not recommended, since it requires maintaining operator name/user ID pairs in an SNT that corresponds to the ESM repository

Access control of region resources, including VSAM files, application programs, and queues. When transactions access resources, a resource check is issued through Sun MTP Secure to the external security manager to determine if the user running the transaction is authorized to do so. Sun MTP Secure also provides an option to add a prefix to its resource names checked with the ESM.

Note - The security-related fields in the PCT, the SNT's Security/Accounting screen, and the SIT are ignored if Sun MTP Secure is enabled.

Sun MTP Secure also supports resource access control for non-authenticated connections by use of a default userid. That userid would be configured on the ESM repository with permissions to all resources deemed non-protected by the company security policy, and would include permissions to run the sign-on transaction CESN, at least. Sun MTP Secure requires an SNT entry containing that userid and its password. That userid is identified to the region by the KIXSECDFLTUSER environment variable, and is authenticated with the ESM during region startup.

Sun MTP Secure also supports preset terminal security, which allows a terminal, such as a printer, to run STARTed or triggered transactions using that configured userid for its resource permissions. Sun MTP Secure requires that those userids also be configured with passwords in the SNT; those are also then authenticated with the ESM during region startup.

Enabling Sun MTP Secure

To enable any external security management system you must enable Sun MTP Secure by setting the KIXSEC environment variable to YES in the region setup file. This enables resource checking for all region resources and user authentication through the ESM.

You can selectively disable resource checking for a resource type by setting its environment variable to NO. For example, setting KIXTSTSEC=NO in the region's setup file will disable checking for temporary storage files. Refer to the section on Sun MTP Secure environment variables in the Sun Mainframe Transaction Processing Software Configuration Guide.

Prior to starting a region with Sun MTP Secure enabled, you must configure a default user name and password and the predefined TCT user names and passwords in the SNT.

Default User Name

There is no validated user name identified with the connection if a connection to a region is made other than through the UNIX client, or as a sign-on with the CESN transaction or EXEC CICS SIGNON, or the connection has been signed off with the CESF transaction or EXEC CICS SIGNOFF. In this situation, Sun MTP Secure uses the default user name defined in the KIXSECDFLTUSER environment variable.

The default user name and password are authenticated through Sun MTP Secure with the external security manager during region startup. If the default user name and password cannot be authenticated, the region is not allowed to execute and unikixmain terminates.

Authenticating Preset Terminal User Names

When Sun MTP Secure is enabled, the user names predefined in the TCT are authenticated with the external security manager during startup. The user names must be configured with the correct password in the SNT. This is the same requirement for the default user name described above. If the user name and password fail authentication, the region is not allowed to execute and unikixmain terminates.

To Configure User Names and Passwords

1. Set the environment variable KIXSEC=NO to disable security checking.

2. Start the region.

3. Add the user names and passwords to the SNT and corresponding user names to the required TCT entries.

Refer to the Sun Mainframe Transaction Processing Software Reference Guide.

4. Shut down the region.

5. Set the environment variable KIXSEC=YES to enable security checking.

6. Set the KIXSECDFLTUSER environment variable to the default user ID.

7. Start the region.

Communication Paths Requiring Default User Name

There are several communication paths that do not provide for, or require user sign-on to a region. All transactions using these communication paths are associated with the default user name, unless other user validation is provided, or the terminal used is one of those predefined in the TCT. Use of the default user name allows the Security Administrator to limit access to transactions or resources.

EPI Clients	Uses the default user name.
ECI Clients	Uses the user name specified in the ECI request.
ISC Servers	Uses the default user name for EPI. For ECI, the request uses the required user name and password, which is then validated. Transaction routing, function shipping, and ATI use the default user name (local security). Refer to the Sun Mainframe Transaction Processing Software Reference Guide for information about attach security. Refer to the Sun Mainframe Transaction Processing Software Configuration Guide for instructions on configuring ISC.
TN3270 Server	Uses the default user name when the TN3270 server was started with the option that specifies no login or password validation. Refer to the Sun Mainframe Transaction Processing Software Configuration Guide for information about configuring a region for TN3270 connections.

Note - The default user name is used for all transactions on all communications paths after a CESF/CSSF or EXEC CICS SIGNOFF for that user's terminal.

Sun MTP Secure Resource Class Types

The Sun MTP Secure resource class types are listed in the following table. These resource class types correspond to the resource types defined in Sun MSF's security repository.

TABLE 8-1 Sun MTP Secure Resource Classes
Resource Class Type	Sun MSF Resource Type	Description
KIX-FILES	KIX_FILE	VSAM files. Controls who is allowed to access specified VSAM files.
KIX-PROGRAMS	KIX_PROGRAM	Sun MTP applications. Controls access to specified programs that an application invokes using a `LINK`, `XCTL`, or `LOAD` command.
KIX-JOURNALS	KIX_JOURNAL	Sun MTP journals. Controls who is allowed to access specified journals.
KIX-COMMANDS	KIX_COMMAND	Subset of Sun MTP administrative commands that are subject to command security checking. Controls who is allowed to access specified administrative commands, as defined in TABLE 8-4.
KIX-START-TRANS	KIX_START_TRANS	Started transactions. Controls who is allowed to `EXEC CICS START` the specified transactions.
KIX-ATTACH-TRANS	KIX_ATTACH_TRANS	Terminal attached transactions. Controls who is allowed to submit specified transactions from a terminal.
KIX-TD-QUEUE	KIX_TDQUEUE	Sun MTP extrapartition and intrapartition transient data destinations, also known as transient data queues (TDQs). Controls who is allowed to access the specified TDQ names.
KIX-TS-QUEUE	KIX_TS_QUEUE	Temporary storage destinations. Controls who is allowed to access the specified temporary storage queue names.
KIX-TERMINALS	KIX_TERMINAL	Sun MTP terminals. Controls who is allowed to use the specified terminal names.
UNIX-APPLS	KIX_REGION	Region you want to control access to. The value is the region's `$KIXSYS` directory path name. Controls who can start, terminate, and execute the region.

Using Sun MTP Secure for Transaction and Resource Security

The access rights for each user, including the default user, $KIXSECDFLTUSER, are configured with the ESM by defining access permissions (read, write, execute, etc.) for the region's resource classes: transactions, VSAM files, transient data, temporary storage queues, terminals, journals, and programs.

When a region uses Sun MTP Secure, the security key fields in the SNT and PCT are ignored. Instead, each user name and password is configured with the ESM. If a corresponding SNT entry is configured for that user name, other fields such as the operator name, operator id, and operator class, are copied into the TCT when the user signs on and is validated through Sun MTP Secure. These fields correspond to what IBM's RACF provides in its CICS Extension record.

Note - SNT entries are not required for each Sun MTP user; if no entry exists for that user name, those TCT fields are left empty.

This user name is then used for security checking for each transaction submitted by the user, and for each resource accessed by that transaction. For example, with terminal-attached transaction security enabled (KIXPCTSEC=YES),when the user submits a transaction, the transaction name (Trans ID) in the PCT, is submitted with the KIX-ATTACH-TRANS resource class, along with the user name to the external security manager through Sun MTP Secure.

If Sun MTP Secure then received a denial from the ESM for that user access to that transaction, the TRANSACTION NOT AUTHORIZED FOR USER message is displayed.

If the user wants to sign on as a different user with different privileges, the user can enter the CESN transaction with a valid user name and password.

If there is no validated user name identified with the user's connection, the region uses the default user name defined in the KIXSECDFLTUSER environment variable. The access rights for that default user name are configured with the ESM. For more information about $KIXSECDFLTUSER, refer to the section on Sun MTP Secure environment variables in the Sun Mainframe Transaction Processing Software Configuration Guide.

Note - When terminal-attached transaction security is enabled (KIXPCTSEC=YES), the required permissions for all the Sun MTP system transactions must be set in the ESM's security repository. See Security for Sun MTP System Transactions.

Administering Resource Security

When a region uses Sun MTP Secure, you can control the access to the resources by transactions as well as access to those transactions. These resources are configured with the external security manager by their identity within predefined resource class types. You can also selectively disable and enable access checking by resource class type with corresponding Sun MTP Secure environment variables.

Resource Class Type	Description	Sun MTP Secure Environment Variable	Sun MTP Table
KIX-ATTACH-TRANS	Submitted transaction name	`KIXPCTSEC`	PCT
KIX-FILES	VSAM dataset name	`KIXFCTSEC`	FCT
KIX-PROGRAMS	Application program name	`KIXPPTSEC`	PPT
KIX-JOURNALS	Journal ID	`KIXJCTSEC`	JCT
KIX-START-TRANS	Started transaction name	`KIXSTTSEC`	PCT
KIX-TD-QUEUE	Transient data queue name	`KIXSTTSEC`	DCT
KIX-TS-QUEUE	Temporary storage queue name	`KIXDCTSEC`	TST
KIX-TERMINALS	Terminal name	`KIXTCTSEC`	TCT
KIX-COMMANDS	Internal Sun MTP data accessible by `SET/INQUIRE/PERFORM`	`KIXCMDSEC`	n/a

The region calls Sun MTP Secure for each resource access, presenting its name, resource class, the user name running the transaction, and the access permission required. The required permission for each access operation is illustrated in the following table.

TABLE 8-2 Access Definitions for `EXEC CICS` Commands
Resource Class Type	EXEC CICS Command	Access Permission Required
KIX-FILES	`READ` `STARTBR^[1]`	Read
KIX-FILES	`WRITE` `DELETE` `REWRITE`	Write
KIX-PROGRAMS	`LOAD`	Read
KIX-PROGRAMS	`XCTL` `LINK`	Execute
KIX-JOURNALS	`JOURNAL`	Write
KIX-START-TRANS	`START` `DELAY`	Execute
	`RETRIEVE`	Read
	`CANCEL`	Delete
KIX-TD-QUEUE	`READQ` `WRITEQ` `DELETEQ`	Write
KIX-TS-QUEUE	`READQ`	Read
KIX-TS-QUEUE	`WRITEQ` `DELETEQ`	Write
KIX-TERMINALS	`-`	Read
KIX-COMMANDS	`INQUIRE`	Read
KIX-COMMANDS	`SET`	Write

The following table describes the required access permission for the remaining Sun MTP Secure resource classes.

TABLE 8-3 Access Definitions for Other Actions
Resource Class Type	Action	Access Permission Required
KIX-ATTACH-TRANS	Submitting new transactions	Execute
UNIX-APPLS	Allowing access to an active Sun MTP region	Execute
	Starting that region	Create
	Terminating that Sun MTP region. For example: `CEMT PERFORM SHUTDOWN` `CSMT SHUT,YES` PF3 key from Development System	Delete

Using the KIX-FILES Resource Class

VSAM file access control through the KIX-FILES resource class also controls batch program access (unikixvsam), the VSAM file utilities unikixbld and kixfile, as well as Sun MBM program access through the rtsvsam and sortx utilities.

Users are granted or denied access to VSAM files for these facilities by the same permissions specified for KIX-FILES access for transactions. However, the user name associated with the batch job submitted through the batch server or the CBCH command, but not Sun MBM, is the user name that started that region (kixstart or unikixmain). The user name associated with a Sun MBM job is the user that submits the job. Therefore, use Sun MBM for batch job submission when using Sun MTP Secure.

The KIX-FILES resource class also controls access to the VSAM catalog, which is a VSAM dataset with the name CATALOG. By granting or denying KIX-FILES read permission on the CATALOG dataset, users are granted or denied permission to view VSAM file definitions in the VSAM catalog using the CFMS transaction. By granting or denying KIX-FILES write permission on the CATALOG dataset, users are granted or denied permission to create, delete, or modify VSAM files defined in the VSAM catalog using the CFMS transaction or the unikixbld or kixfile utilities.

Using the KIX-COMMANDS Resource Class

The region also uses Sun MTP Secure to control access to internal administrative resources by the CEMT transaction or by applications that use the EXEC CICS INQUIRE/PERFORM/SET API. The resource class that represents these administrative commands is KIX-COMMANDS. The following table maps the resource names for the KIX-COMMANDS class to specific EXEC CICS and CEMT operations. Note that all INQUIRE functions require read permission and all SET functions require write permission. Most of these commands are common to both EXEC CICS and CEMT interfaces; but where they are unique to an interface, they are prefaced with either EXEC CICS or CEMT.

TABLE 8-4 KIX-COMMANDS Resources Subject to Security Checking
Resource Name	EXEC CICS/CEMT Command	Permissions
TASK	`EXEC CICS TASK LIST ...`	Read
PROGRAM	`INQUIRE/SET PROGRAM` (name)	Read/write
TERMINAL	`INQUIRE/SET TERMINAL` (name)	Read/write
CONNECTION	`CEMT INQ/SET CONNECTION ...`	Read/write
TDQUEUE	`INQUIRE/SET TDQUEUE` (name)	Read/write
TRANSACTION	`EXEC CICS INQUIRE TRANSACTION` (name) `CEMT INQ/SET TASK ...` `CEMT INQ TRANID ...` `CEMT INQ FACILITY` `CEMT INQ ACTIVE` `CEMT INQ SUSPENDED`	Read Read/write Read Read Read Read
FILE	`EXEC CICS INQUIRE/SET FILE` (name)	Read/write
REQID	`EXEC CICS INQUIRE/SET REQID`	Read/write
TRANCLASS	`INQUIRE/SET TRANCLASS`	Read/write
SECURITY	`CEMT PERFORM SECURITY ...`	Write
SHUTDOWN	`CEMT PERFORM SHUTDOWN`^{^[2]}	Write
SYSTEM	`SET SYSTEM ...` `EXEC CICS INQUIRE SYSTEM`	Write Read

Using Point-of-Entry Security

Point-of-entry security permits or denies users of a particular Sun MTP region and specific terminal name access to a region.

The UNIX-APPLS resource class can be configured with the ESM to permit or deny users access when attempting to connect to a particular region, based on its $KIXSYS value. The ESM also validates that the user is permitted to use the terminal name that was specified or acquired for that connection by that user. The
KIX-TERMINALS resource class is configured with the ESM to permit or deny a set of users access to a specific terminal name.

You can disable UNIX-APPLS resource checking by setting the KIXAPPSEC environment variable to NO. Refer to the Sun Mainframe Transaction Processing Software Configuration Guide for information about the Sun MTP Secure environment variables.

The ESM validates that a user has permission on the UNIX-APPLS resource to either start or terminate that region. If the user does not have permission to start the region with the kixstart command, the following message is displayed:

KIX0145F Userid not authorized to start this Sun MTP (UNIX-APPLS permission)

Note - Only the user name that started Sun MTP can run kixclean, not any user with UNIX-APPLS permission for that region.

Resource Name Prefixing

Sun MTP Secure provides for the prefixing of all resource names as an option. If there are several Sun MTP regions being managed by the same ESM, it might be necessary or desirable for the resources of each region to be uniquely qualified in this manner. for example, users A, B, and C might have permission to access the PAYROLL dataset in the Test region, but might not have permission to the dataset in the Prod region, because the datasets are actually two different VSAM files.

Prefixing is enabled with the KIXSECPREFIX environment variable. If set to YES, all resource names are prefixed with the region's application name as defined in the SIT.Using the example of the PAYROLL dataset described earlier, users A, B, and C would be checked by the ESM and could be authorized access to the TestPAYROLL dataset, but denied access to the ProdPAYROLL dataset, as configured on the ESM repository.

ESM Results Logging

Sun MTP Secure will record the results of ESM logons and access checking in the region's unikixmain.log file. The type of results written is defined in the KIXSEC_LOGGING environment variable. Setting this environment variable to ALL will log all ESM results, both success and failure. Setting the variable to DENIALS will log only ESM denial results. A setting of NONE will disable logging.

Note - This logging is in addition to any ESM audit logging, and is useful for tracking audit events for a specific region, which might not be visible in the ESM logs.

Security Access Results Caching

When an external security manager is in use, as the user attempts to access various resources, the results of those access attempts are stored in a region's area of cache memory referred to as a results cache. The results cache is used for subsequent accesses to the same resource, thereby expediting access. This cache area is not cleared when a user logs off.

If the rules in the security repository change and those rules affect the users of a region, the following system transaction should be executed. It will clear the region's results cache thus causing the new rules to be inquired as a user attempts to access resources.

CEMT PERFORM SECURITY REBUILD

^{1 (TableFootnote) The other VSAM browse operations (ENDBR, READNEXT, READPREV and RESETBR) are not subject to access permission checking because they all require a successful STARTBR in order to be used.}

^{2 (TableFootnote) This command resource is also checked and enforced on the equivalent alternative internal Sun MTP methods to terminate the region: CSMT SHUT,YES and using the PF3 key on the Development System main menu (CMNU). Refer to the Sun Mainframe Transaction Processing Software Configuration Guide for information about shutting down a region.}