Analyzer SYSTEM and SYSTEM-TLS security

HZASANP2 in the PARMLIB defines the security settings for running the Analyzer.

The following SYSTEM and SYSTEM-TLS settings are defined:

***********************************************************************
* FZVSAM Analyzer on-line mode settings for z/OS SYSTEM security and   *
* SYSTEM-TLS security                                                 * 
***********************************************************************
* SECURITY=SYSTEM - HTTPS (SSL encrypted) communications              *
*                     with z/OS system security (SAF/RACF).           *
*                     Refer to HSISANS1/2/3 in JCLLIB for sample JCL  *
*                     to define RACF profiles/certificates.           *
*                                                                     *
***********************************************************************
* SECURITY=SYSTEM-TLS - SSL encryption handled by AT-TLS configuration*
*  NOTE: An AT-TLS rule needs to be defined by a system programmer.   *
* Following is an example of an AT-TLS rule:                          *
*  TTLSRule Secure_FZVSAM-Server                                        *
*  {                                                                  *
*    LocalPortRangeRef                port9133                        *
*    RemotePortRangeRef               portA11                         *
*    Direction                        Inbound                         *
*    TTLSGroupActionRef               gTLS                            *
*    TTLSEnvironmentActionRef         eFZVSAM                           *
*    Jobname                          SIMANL83                        *
*  }                                                                  *
*********************************************************************** 
*                                                                     *
SECURITY = SYSTEM
*SECURITY = SYSTEM-TLS                         

***********************************************************************
* The following settings are applicable only for                      *
* SECURITY=SYSTEM:                                                    *
*                                                                     *
*   AUTH_HLQ defines SAF/RACF profile high level qualifier            *
*                                                                     *
*   AUTH_UPPERCASE=Y Analyzer will uppercase passwords when           *
*                    invoking SAF/RACF password authentication.       *
*                    When password phrase support has been            *
*                    enabled AUTH_UPPERCASE=Y has no effect, and      *
*                    mixed case is used.                              *
*   AUTH_UPPERCASE=N Analyzer will pass through mixed case passwords  *
*                    when invoking SAF/RACF password authentication.  *
*                                                                     *
*   GSK_KEYRING_FILE defines SAF/RACF Keyring name of SSL Certificate *
*   GSK_KEY_LABEL    defines SAF/RACF Label name of SSL Certificate   *
*   GSK_....         defines optional z/OS SSL environment variables. *
*                    The z/OS Cryptographic Services Secure Sockets   *
*                    Layer Programming manual explains the            *
*                    environment variables.                           *
*                    For example, define GSK_HW_CRYPTO = 32           *
*                    for SHA-256 digest generation.                   *
*                                                                     *
***********************************************************************   
* The following settings are applicable only for                      *     
* SECURITY = SYSTEM-TLS:                                              *     
*   AUTH_HLQ         defines SAF/RACF profile high level qualifier    *
*                                                                     *
*   AUTH_UPPERCASE=Y Analyzer will uppercase passwords when           *
*                    invoking SAF/RACF password authentication.       *
*                    When password phrase support has been            *
*                    enabled AUTH_UPPERCASE=Y has no effect, and      *
*                    mixed case is used.                              *
*   AUTH_UPPERCASE=N Analyzer will pass through mixed case passwords  *
*                    when invoking SAF/RACF password authentication   *
*   Note: These 3 parameters are not required and must be commented   *
*         out when using SECURITY = SYSTEM-TLS.                       *
*     -GSK_KEYRING_FILE                                               *
*     -GSK_KEY_LABEL                                                  *
*     -GSK_STATUS                                                     *
*                                                                     *
***********************************************************************
*                                                                     *
* JCLLIB(HSISANS1) contains sample JCL to define RACF profiles, using *
* a high level qualifier of 'FZVSAM'. If you have changed HSISANS1,    *
* you may also need to change the AUTH_HLQ TPARAM setting.            *
*                                                                     *
* JCLLIB(HSISANS2/3) contains sample JCL to define RACF SSL           *
* Certificates.  If you have changes HSISANS2/3, you may also need to *
* change the GSK_KEYRING_FILE and GSK_KEY_LABEL TPARAM settings.      *
*                                                                     *
***********************************************************************
AUTH_HLQ         = FZVSAM                                               
AUTH_UPPERCASE   = Y                                                   
GSK_KEYRING_FILE = FZVSAM_KEYRING                                        
GSK_KEY_LABEL    = FZVSAMCERT
GSK_STATUS       = OFF

HZASANS1 in the JCLLIB has sample JCL to define RACF® security profiles.

Note:

The RACF® ID can be an existing RACF® group (which user IDs have been connected to) and/or existing RACF® user IDs.

If your z/OS® system has been set up to use a third party alternative to RACF®, you must define comparable settings in your third party security product.

/*--------------------------------------------------------------*/
/* FZVSAM ANALYZER DATABASE PROFILES                             */
/*--------------------------------------------------------------*/
 RDELETE FACILITY  FZVSAM.DB.AU*                                   
 RDEFINE FACILITY  FZVSAM.DB.AU*          UACC(NONE)               
 PERMIT            FZVSAM.DB.AU*          ACCESS(READ) -           
   CLASS(FACILITY) ID(FZVSAMADM,FZVSAMUSR,AUID001)                  
                                                                  
 RDELETE FACILITY  FZVSAM.DB.*                                     
 RDEFINE FACILITY  FZVSAM.DB.*            UACC(NONE)               
 PERMIT            FZVSAM.DB.*            ACCESS(READ) -           
   CLASS(FACILITY) ID(FZVSAMADM,FZVSAMUSR)                          
 PERMIT            FZVSAM.DB.*            ACCESS(NONE) -           
   CLASS(FACILITY) ID(AUID001)                                    
/*--------------------------------------------------------------*
/* FZVSAM ANALYZER MENU PROFILES                                 *
/*--------------------------------------------------------------*
 RDELETE FACILITY  FZVSAM.MENU.ASSET                              
 RDEFINE FACILITY  FZVSAM.MENU.ASSET      UACC(NONE)              
 PERMIT            FZVSAM.MENU.ASSET      ACCESS(READ) -          
   CLASS(FACILITY) ID(FZVSAMADM,FZVSAMUSR,AUID001)                 
                                                                 
 RDELETE FACILITY  FZVSAM.MENU.DISC                               
 RDEFINE FACILITY  FZVSAM.MENU.DISC       UACC(NONE)              
 PERMIT            FZVSAM.MENU.DISC       ACCESS(READ) -          
   CLASS(FACILITY) ID(FZVSAMADM,FZVSAMUSR)
    
 RDELETE FACILITY  FZVSAM.MENU.ADMINR
 RDEFINE FACILITY  FZVSAM.MENU.ADMINR     UACC(NONE) 
 PERMIT            FZVSAM.MENU.ADMINR     ACCESS(READ) -
   CLASS(FACILITY) ID(FZVSAMADM,FZVSAMUSR)                  
                                                              
 RDELETE FACILITY  FZVSAM.MENU.ADMIN                              
 RDEFINE FACILITY  FZVSAM.MENU.ADMIN      UACC(NONE)              
 PERMIT            FZVSAM.MENU.ADMIN      ACCESS(READ) -          
   CLASS(FACILITY) ID(FZVSAMADM)                                  
                                                                     
 RDELETE FACILITY  FZVSAM.MENU.ADMIN.LIB_CLASSIFICATION               
 RDEFINE FACILITY  FZVSAM.MENU.ADMIN.LIB_CLASSIFICATION UACC(NONE)    
 PERMIT            FZVSAM.MENU.ADMIN.LIB_CLASSIFICATION ACCESS(READ) -
   CLASS(FACILITY) ID(FZVSAMADM)                                      
                                                                     
 RDELETE FACILITY  FZVSAM.MENU.CUSTOM                                 
 RDEFINE FACILITY  FZVSAM.MENU.CUSTOM     UACC(NONE)                  
 PERMIT            FZVSAM.MENU.CUSTOM     ACCESS(READ) -              
   CLASS(FACILITY) ID(FZVSAMADM,FZVSAMUSR)                             
                                                                     
  SETROPTS RACLIST(FACILITY) REFRESH